Loading ...

Play interactive tourEdit tour

Analysis Report FriKanya.exe

Overview

General Information

Sample Name:FriKanya.exe
Analysis ID:255479
MD5:9b65bdf577ccfeacc1abb78248f96fc4
SHA1:0e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099
SHA256:02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • FriKanya.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\FriKanya.exe' MD5: 9B65BDF577CCFEACC1ABB78248F96FC4)
    • AddInProcess32.exe (PID: 5812 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • MyKanyAasean.exe (PID: 6984 cmdline: 'C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe' MD5: F2A47587431C466535F3C3D3427724BE)
    • conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MyKanyAasean.exe (PID: 1836 cmdline: 'C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe' MD5: F2A47587431C466535F3C3D3427724BE)
    • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": " g8cocE1", "URL: ": "", "To: ": "chevyview450@gmail.com", "ByHost: ": "mail.cam-asean.com:587", "Password: ": " us6Oe24Fxi", "From: ": "kanya@cam-asean.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security
    0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpagenttesla_smtp_variantunknownj from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
      • 0x1f10:$a: type={
      • 0x1f9c:$a: type={
      • 0x1f1a:$b: hwid={
      • 0x1fa6:$b: hwid={
      • 0x1f24:$c: time={
      • 0x1fb0:$c: time={
      • 0x1f2e:$d: pcname={
      • 0x1fba:$d: pcname={
      • 0x1f3a:$e: logdata={
      • 0x1fc6:$e: logdata={
      • 0x1f47:$f: screen={
      • 0x1fd3:$f: screen={
      • 0x1f53:$g: ipadd={
      • 0x1fdf:$g: ipadd={
      • 0x1f5e:$h: webcam_link={
      • 0x1fea:$h: webcam_link={
      • 0x1f6f:$i: screen_link={
      • 0x1ffb:$i: screen_link={
      • 0x1f80:$k: [passwords]
      • 0x200c:$k: [passwords]
      00000000.00000002.337226001.0000000004249000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.494476671.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Process CreationShow sources
            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\FriKanya.exe' , ParentImage: C:\Users\user\Desktop\FriKanya.exe, ParentProcessId: 6428, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 5812

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: AddInProcess32.exe.5812.11.memstrMalware Configuration Extractor: Agenttesla {"Username: ": " g8cocE1", "URL: ": "", "To: ": "chevyview450@gmail.com", "ByHost: ": "mail.cam-asean.com:587", "Password: ": " us6Oe24Fxi", "From: ": "kanya@cam-asean.com"}

            Networking:

            barindex
            May check the online IP address of the machineShow sources
            Source: unknownDNS query: name: checkip.amazonaws.com
            Source: unknownDNS query: name: checkip.amazonaws.com
            Source: unknownDNS query: name: checkip.amazonaws.com
            Source: unknownDNS query: name: checkip.amazonaws.com
            Source: global trafficTCP traffic: 192.168.2.7:49744 -> 107.180.12.39:587
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.2.7:49744 -> 107.180.12.39:587
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: g.msn.com
            Source: AddInProcess32.exe, 0000000B.00000002.497866157.0000000002D0A000.00000004.00000001.sdmpString found in binary or memory: http://23J2KZ396ROywv.net
            Source: AddInProcess32.exe, 0000000B.00000002.495793208.0000000000EF5000.00000004.00000020.sdmpString found in binary or memory: http://23J2KZ396ROywv.netB8
            Source: AddInProcess32.exe, 0000000B.00000002.498351580.0000000002DFA000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
            Source: AddInProcess32.exe, 0000000B.00000002.497866157.0000000002D0A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
            Source: AddInProcess32.exe, 0000000B.00000002.497866157.0000000002D0A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com4ElT
            Source: AddInProcess32.exe, 0000000B.00000002.498351580.0000000002DFA000.00000004.00000001.sdmpString found in binary or memory: http://checkip.us-east-1.prod.check-ip.aws.a2z.com
            Source: AddInProcess32.exe, 0000000B.00000002.498442692.0000000002E12000.00000004.00000001.sdmpString found in binary or memory: http://mail.cam-asean.com
            Source: AddInProcess32.exe, 0000000B.00000002.497866157.0000000002D0A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
            Source: AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf
            Source: AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
            Source: Process Memory Space: AddInProcess32.exe PID: 5812, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
            Yara detected Agent Tesla TrojanShow sources
            Source: Yara matchFile source: 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5812, type: MEMORY
            .NET source code contains very large array initializationsShow sources
            Source: FriKanya.exe, u0036Gfu007cPgu00408u00217/u0036Yru0026Anu002b75X.csLarge array initialization: F~n24gG)M6: array initializer size 91648
            Source: 0.2.FriKanya.exe.d60000.0.unpack, u0036Gfu007cPgu00408u00217/u0036Yru0026Anu002b75X.csLarge array initialization: F~n24gG)M6: array initializer size 91648
            Source: 0.0.FriKanya.exe.d60000.0.unpack, u0036Gfu007cPgu00408u00217/u0036Yru0026Anu002b75X.csLarge array initialization: F~n24gG)M6: array initializer size 91648
            Source: C:\Users\user\Desktop\FriKanya.exeCode function: 0_2_05DE0C20 CreateProcessAsUserW,0_2_05DE0C20
            Source: C:\Users\user\Desktop\FriKanya.exeCode function: 0_2_0152ADB80_2_0152ADB8
            Source: C:\Users\user\Desktop\FriKanya.exeCode function: 0_2_0152ADA70_2_0152ADA7
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00FDDA0111_2_00FDDA01
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108537011_2_01085370
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_010833A811_2_010833A8
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_010885EC11_2_010885EC
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108279011_2_01082790
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_010897A011_2_010897A0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01082AD811_2_01082AD8
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108FDF811_2_0108FDF8
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_010885E011_2_010885E0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108A49211_2_0108A492
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108D70011_2_0108D700
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108977011_2_01089770
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108DC3F11_2_0108DC3F
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0108DCB811_2_0108DCB8
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549995811_2_05499958
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549F96811_2_0549F968
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549610A11_2_0549610A
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549AC5011_2_0549AC50
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549B45011_2_0549B450
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05495C5011_2_05495C50
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549D08811_2_0549D088
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05493B6811_2_05493B68
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549926011_2_05499260
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549E22011_2_0549E220
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549994811_2_05499948
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549E57C11_2_0549E57C
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549010011_2_05490100
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05491D2411_2_05491D24
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054955E011_2_054955E0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05491DF711_2_05491DF7
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054961AE11_2_054961AE
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05491C0811_2_05491C08
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492C2911_2_05492C29
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549302E11_2_0549302E
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549E83711_2_0549E837
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054960DD11_2_054960DD
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549D8D011_2_0549D8D0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492CD311_2_05492CD3
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549D8E011_2_0549D8E0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054960E611_2_054960E6
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054900F011_2_054900F0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492C8911_2_05492C89
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549608411_2_05496084
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05493B5811_2_05493B58
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492B5011_2_05492B50
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492B0611_2_05492B06
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492BDF11_2_05492BDF
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054927EE11_2_054927EE
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054933FF11_2_054933FF
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549BB8811_2_0549BB88
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549E21211_2_0549E212
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492A2D11_2_05492A2D
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492ABC11_2_05492ABC
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054C501011_2_054C5010
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054C583011_2_054C5830
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054C92D011_2_054C92D0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054C4F9011_2_054C4F90
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeCode function: 13_2_006D205013_2_006D2050
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeCode function: 23_2_001A205023_2_001A2050
            Source: FriKanya.exeBinary or memory string: OriginalFilename vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000003.329017101.0000000006B2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKNWLTWCAVTCNQMLKWBGITUWPRSBVTZJJCASAVPNA_20190808091202792.exe4 vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.336826995.0000000004130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWlOsyZq.dllF vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.338984522.0000000005930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameresourceLib.dll8 vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.337226001.0000000004249000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.332388635.0000000000D62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIELibrght vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.332388635.0000000000D62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKN808091202792.exe( vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.335103704.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibr vs FriKanya.exe
            Source: FriKanya.exe, 00000000.00000002.335103704.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKN vs FriKanya.exe
            Source: FriKanya.exeBinary or memory string: OriginalFilenameIELibrght vs FriKanya.exe
            Source: FriKanya.exeBinary or memory string: OriginalFilenameKN808091202792.exe( vs FriKanya.exe
            Source: 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
            Source: Process Memory Space: AddInProcess32.exe PID: 5812, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@5/2
            Source: C:\Users\user\Desktop\FriKanya.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FriKanya.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
            Source: C:\Users\user\Desktop\FriKanya.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
            Source: FriKanya.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\FriKanya.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\FriKanya.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeFile read: C:\Users\user\Desktop\FriKanya.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\FriKanya.exe 'C:\Users\user\Desktop\FriKanya.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe 'C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe 'C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\FriKanya.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: FriKanya.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: FriKanya.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: AddInProcess32.pdb source: MyKanyAasean.exe, AddInProcess32.exe.0.dr
            Source: Binary string: C:\Users\user\Desktop\FriKanya.PDB6 source: FriKanya.exe, 00000000.00000002.333178397.0000000000FA8000.00000004.00000010.sdmp
            Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: FriKanya.exe, 00000000.00000002.337226001.0000000004249000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000002.497776736.0000000002CDE000.00000004.00000001.sdmp
            Source: Binary string: X obj\Debug\IELibrary.pdb~ source: FriKanya.exe
            Source: Binary string: AddInProcess32.pdbpw source: FriKanya.exe, 00000000.00000002.340085216.0000000006E30000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.322880183.0000000000912000.00000002.00020000.sdmp, MyKanyAasean.exe, 0000000D.00000000.399118441.00000000006D2000.00000002.00020000.sdmp, MyKanyAasean.exe, 00000017.00000002.419206806.00000000001A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
            Source: Binary string: .pdb'H source: FriKanya.exe, 00000000.00000002.333178397.0000000000FA8000.00000004.00000010.sdmp
            Source: Binary string: obj\Debug\IELibrary.pdb source: FriKanya.exe
            Source: Binary string: (Pfh0C:\Windows\mscorlib.pdb source: FriKanya.exe, 00000000.00000002.333178397.0000000000FA8000.00000004.00000010.sdmp
            Source: Binary string: m<obj\Debug\IELibrary.pdb source: FriKanya.exe, 00000000.00000002.335103704.0000000003121000.00000004.00000001.sdmp
            Source: C:\Users\user\Desktop\FriKanya.exeCode function: 0_2_00D62BC0 push ebx; iretd 0_2_00D62BC1
            Source: C:\Users\user\Desktop\FriKanya.exeCode function: 0_2_00D629F2 push edi; retf 0_2_00D62A32
            Source: C:\Users\user\Desktop\FriKanya.exeCode function: 0_2_00D6281D push esp; iretd 0_2_00D62827
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01080A7C pushad ; retf 11_2_01080AB9
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0549E899 push 0BBAC769h; ret 11_2_0549E8A0
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_054C4A19 push 2300058Bh; ret 11_2_054C4A1E
            Source: C:\Users\user\Desktop\FriKanya.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyKanyAaseanJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyKanyAaseanJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\FriKanya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeWindow / User API: threadDelayed 408Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 1964Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 7707Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exe TID: 5788Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exe TID: 5716Thread sleep count: 110 > 30Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exe TID: 5716Thread sleep count: 408 > 30Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exe TID: 5720Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 5012Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 5012Thread sleep time: -30437127721620741s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 4872Thread sleep count: 1964 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 4872Thread sleep count: 7707 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe TID: 6488Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe TID: 568Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: FriKanya.exe, 00000000.00000002.336826995.0000000004130000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.
            Source: FriKanya.exe, 00000000.00000002.336826995.0000000004130000.00000004.00000001.sdmpBinary or memory string: CompanyNameVMware, Inc.2
            Source: FriKanya.exe, 00000000.00000002.336826995.0000000004130000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstationP
            Source: FriKanya.exe, 00000000.00000002.336826995.0000000004130000.00000004.00000001.sdmpBinary or memory string: CommentsVMware Workstation:
            Source: FriKanya.exe, 00000000.00000002.336826995.0000000004130000.00000004.00000001.sdmpBinary or memory string: VMware Workstation
            Source: C:\Users\user\Desktop\FriKanya.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_05492784 LdrInitializeThunk,11_2_05492784
            Source: C:\Users\user\Desktop\FriKanya.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\FriKanya.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\FriKanya.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\FriKanya.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 456000Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 458000Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: A3E008Jump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
            Source: AddInProcess32.exe, 0000000B.00000002.497229076.0000000001720000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: AddInProcess32.exe, 0000000B.00000002.497229076.0000000001720000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: AddInProcess32.exe, 0000000B.00000002.497229076.0000000001720000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: AddInProcess32.exe, 0000000B.00000002.497229076.0000000001720000.00000002.00000001.sdmpBinary or memory string: jProgram Manager
            Source: C:\Users\user\Desktop\FriKanya.exeQueries volume information: C:\Users\user\Desktop\FriKanya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\FriKanya.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeQueries volume information: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean\MyKanyAasean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\MyKanyAasean