Loading ...

Play interactive tourEdit tour

Analysis Report funngycry.exe

Overview

General Information

Sample Name:funngycry.exe
Analysis ID:279184
MD5:eb1298f86e063eb9f1dcf288adbf9702
SHA1:63873150340c245ccb1376d60fa4328a607feab5
SHA256:56455fb98a91d0b0244bc347a1d32b0bd1d02a765e12d925d119564385410d71

Most interesting Screenshot:

Detection

Azorult GuLoader Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Azorult
Yara detected GuLoader
Yara detected Lokibot
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • funngycry.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\funngycry.exe' MD5: EB1298F86E063EB9F1DCF288ADBF9702)
    • funngycry.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\funngycry.exe' MD5: EB1298F86E063EB9F1DCF288ADBF9702)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.283597388.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000002.00000003.279604085.000000001F7F8000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000002.00000003.280311604.000000001F81C000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        00000002.00000003.283370350.000000001F7DC000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
          00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
            Click to see the 6 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: funngycry.exeVirustotal: Detection: 36%Perma Link
            Source: funngycry.exeReversingLabs: Detection: 35%
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof.
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: funngycry.exe, 00000002.00000002.283806252.00000000008C7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digi
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://ocsp.thawte.com0
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, nss3.dll.2.drString found in binary or memory: http://www.mozilla.com0
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://4wqfow.bl.files.1drv.com/
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://4wqfow.bl.files.1drv.com/r
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmp, funngycry.exe, 00000002.00000002.283806252.00000000008C7000.00000004.00000020.sdmpString found in binary or memory: https://4wqfow.bl.files.1drv.com/y4mlksdTM1efH51ijPusjVmi2MsnONXDSvqb18JT4w_8keYxbJcz1t0hFJKqzxXYXiK
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://hotelavlokan.com/
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://hotelavlokan.com/direct_uri=https://login.l
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmp, funngycry.exe, 00000002.00000003.283362648.000000001E060000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.283806252.00000000008C7000.00000004.00000020.sdmpString found in binary or memory: https://hotelavlokan.com/fungg/32/index.php
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://hotelavlokan.com/fungg/32/index.phpe
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://hotelavlokan.com/fungg/32/index.phpe#
            Source: funngycry.exe, 00000002.00000003.277456887.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://login.l
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf4
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmp, funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmp, funngycry.exe, 00000002.00000003.277456887.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: funngycry.exe, 00000002.00000003.277456887.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmp, funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmp, funngycry.exe, 00000002.00000003.277456887.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033r
            Source: funngycry.exe, 00000002.00000003.277456887.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033yo
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfxc~
            Source: funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: funngycry.exe, 00000002.00000002.283597388.0000000000560000.00000040.00000001.sdmp, funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21113&authkey=AIswKWl
            Source: funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/m
            Source: funngycry.exe, 00000002.00000003.279581752.0000000000950000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmp, nss3.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05041713 NtWriteVirtualMemory,LoadLibraryA,0_2_05041713
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040DEE NtSetInformationThread,TerminateProcess,0_2_05040DEE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040207 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_05040207
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_0504344D NtSetInformationThread,TerminateProcess,0_2_0504344D
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043E58 NtResumeThread,0_2_05043E58
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043A71 NtProtectVirtualMemory,0_2_05043A71
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050436FE NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_050436FE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05042F96 NtSetInformationThread,TerminateProcess,0_2_05042F96
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043391 NtSetInformationThread,TerminateProcess,0_2_05043391
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_0504179C NtWriteVirtualMemory,0_2_0504179C
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050419A0 NtWriteVirtualMemory,0_2_050419A0
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050415A9 NtSetInformationThread,TerminateProcess,0_2_050415A9
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043FCF NtResumeThread,0_2_05043FCF
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050413C9 NtSetInformationThread,TerminateProcess,0_2_050413C9
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050417DB NtWriteVirtualMemory,0_2_050417DB
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05042FE3 NtSetInformationThread,TerminateProcess,0_2_05042FE3
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043006 NtSetInformationThread,TerminateProcess,0_2_05043006
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043624 NtSetInformationThread,TerminateProcess,0_2_05043624
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040245 NtSetInformationThread,TerminateProcess,0_2_05040245
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043E60 NtResumeThread,0_2_05043E60
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043E74 NtResumeThread,0_2_05043E74
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05042C7C NtSetInformationThread,TerminateProcess,0_2_05042C7C
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043E8C NtResumeThread,0_2_05043E8C
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040CCC NtSetInformationThread,TerminateProcess,0_2_05040CCC
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05042ED2 NtSetInformationThread,TerminateProcess,0_2_05042ED2
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050414FF NtSetInformationThread,TerminateProcess,0_2_050414FF
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563E58 NtSetInformationThread,2_2_00563E58
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563A71 NtProtectVirtualMemory,2_2_00563A71
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00560207 EnumWindows,NtSetInformationThread,2_2_00560207
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005636FE NtSetInformationThread,LoadLibraryA,2_2_005636FE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005613C9 NtSetInformationThread,Sleep,TerminateThread,2_2_005613C9
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00560245 NtSetInformationThread,2_2_00560245
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563E74 NtSetInformationThread,2_2_00563E74
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00562C7C NtSetInformationThread,2_2_00562C7C
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563E60 NtSetInformationThread,2_2_00563E60
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563006 NtSetInformationThread,2_2_00563006
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563624 NtSetInformationThread,2_2_00563624
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00562ED2 NtSetInformationThread,2_2_00562ED2
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00560CCC NtSetInformationThread,2_2_00560CCC
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005614FF NtSetInformationThread,2_2_005614FF
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005606E0 NtProtectVirtualMemory,2_2_005606E0
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563E8C NtSetInformationThread,2_2_00563E8C
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563FCF NtSetInformationThread,2_2_00563FCF
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00562FE3 NtSetInformationThread,2_2_00562FE3
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00560DEE NtSetInformationThread,2_2_00560DEE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00562F96 NtSetInformationThread,2_2_00562F96
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563391 NtSetInformationThread,2_2_00563391
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005615A9 NtSetInformationThread,2_2_005615A9
            Source: api-ms-win-core-debug-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-file-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
            Source: funngycry.exe, 00000000.00000000.200085444.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameoverskyller.exe vs funngycry.exe
            Source: funngycry.exe, 00000000.00000002.227557439.00000000022F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs funngycry.exe
            Source: funngycry.exe, 00000002.00000000.226508568.0000000000410000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameoverskyller.exe vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.270856067.000000001F8C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.267373763.000000001E740000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.266777421.000000001E6D4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.267631524.000000001E878000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs funngycry.exe
            Source: funngycry.exe, 00000002.00000002.287966406.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs funngycry.exe
            Source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs funngycry.exe
            Source: funngycry.exe, 00000002.00000002.287933703.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs funngycry.exe
            Source: funngycry.exeBinary or memory string: OriginalFilenameoverskyller.exe vs funngycry.exe
            Source: C:\Users\user\Desktop\funngycry.exeSection loaded: crtdll.dllJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@3/48@3/1
            Source: C:\Users\user\Desktop\funngycry.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A8AD8678-F187F0CB-B1A7EC3F3
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD00800881042E462.TMPJump to behavior
            Source: funngycry.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\funngycry.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s;
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: funngycry.exeVirustotal: Detection: 36%
            Source: funngycry.exeReversingLabs: Detection: 35%
            Source: unknownProcess created: C:\Users\user\Desktop\funngycry.exe 'C:\Users\user\Desktop\funngycry.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\funngycry.exe 'C:\Users\user\Desktop\funngycry.exe'
            Source: C:\Users\user\Desktop\funngycry.exeProcess created: C:\Users\user\Desktop\funngycry.exe 'C:\Users\user\Desktop\funngycry.exe' Jump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270615809.000000001F870000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270751712.000000001F8AC000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: funngycry.exe, 00000002.00000003.270856067.000000001F8C4000.00000004.00000001.sdmp, mozglue.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: funngycry.exe, 00000002.00000003.266977610.000000001E870000.00000004.00000001.sdmp, nss3.dll.2.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: funngycry.exe, 00000002.00000003.268274309.000000001F7F8000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.2.dr
            Source: Binary string: ucrtbase.pdb source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, ucrtbase.dll.2.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.264326642.000000001EE7C000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, freebl3.dll.2.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270615809.000000001F870000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270751712.000000001F8AC000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.268274309.000000001F7F8000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.2.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmp, vcruntime140.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: funngycry.exe, 00000002.00000003.270856067.000000001F8C4000.00000004.00000001.sdmp, mozglue.dll.2.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.268633752.000000001F81C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, freebl3.dll.2.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.268274309.000000001F7F8000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.266117876.000000001EE84000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.dr
            Source: Binary string: msvcp140.i386.pdb source: funngycry.exe, 00000002.00000003.266777421.000000001E6D4000.00000004.00000001.sdmp, msvcp140.dll.2.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.2.dr
            Source: Binary string: ucrtbase.pdbUGP source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, ucrtbase.dll.2.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.266294739.000000001EE70000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: funngycry.exe, 00000002.00000003.267373763.000000001E740000.00000004.00000001.sdmp, nssdbm3.dll.2.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.268274309.000000001F7F8000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.2.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.268633752.000000001F81C000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270615809.000000001F870000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: funngycry.exe, 00000002.00000003.268633752.000000001F81C000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: funngycry.exe, 00000002.00000003.267460268.000000001E73C000.00000004.00000001.sdmp, softokn3.dll.2.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: funngycry.exe, 00000002.00000003.268633752.000000001F81C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.2.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.264326642.000000001EE7C000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270615809.000000001F870000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
            Source: Binary string: vcruntime140.i386.pdb source: funngycry.exe, 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmp, vcruntime140.dll.2.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.266329965.000000001EE78000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.2.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: funngycry.exe, 00000002.00000003.267373763.000000001E740000.00000004.00000001.sdmp, nssdbm3.dll.2.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270361465.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.2.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: funngycry.exe, 00000002.00000003.266777421.000000001E6D4000.00000004.00000001.sdmp, msvcp140.dll.2.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: funngycry.exe, 00000002.00000003.268274309.000000001F7F8000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.268274309.000000001F7F8000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.270615809.000000001F870000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.2.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: funngycry.exe, 00000002.00000003.279625932.000000001F050000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.2.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000002.00000002.283597388.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 6820, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 7040, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 6820, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 7040, type: MEMORY
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05044141 push ecx; ret 0_2_05044150
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00564141 push ecx; ret 2_2_00564150
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\mozglue.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\funngycry.exeRDTSC instruction interceptor: First address: 0000000000560E99 second address: 0000000000560F2F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [edi+34h] 0x00000006 pushad 0x00000007 mov cx, E91Bh 0x0000000b cmp cx, E91Bh 0x00000010 jne 00007FC294C75340h 0x00000016 popad 0x00000017 mov dword ptr [edi+000007C0h], ebx 0x0000001d mov ebx, dword ptr [edi+28h] 0x00000020 mov dword ptr [edi+00000810h], ebx 0x00000026 cmp eax, ebx 0x00000028 test al, dl 0x0000002a mov bx, word ptr [edi+06h] 0x0000002e mov word ptr [edi+000007C4h], bx 0x00000035 test ecx, ecx 0x00000037 mov ebx, dword ptr [edi+000007C4h] 0x0000003d mov dword ptr [edi+000007C4h], ebx 0x00000043 mov ebx, dword ptr [edi+50h] 0x00000046 cmp ecx, ebx 0x00000048 mov dword ptr [edi+50h], 00000000h 0x0000004f pushad 0x00000050 mov di, 68F7h 0x00000054 cmp di, 68F7h 0x00000059 jne 00007FC294C752F7h 0x0000005f popad 0x00000060 mov dword ptr [edi+000007C8h], ebx 0x00000066 cmp di, 353Ch 0x0000006b mov ebx, dword ptr [edi+54h] 0x0000006e cmp ch, ch 0x00000070 mov dword ptr [edi+000007CCh], ebx 0x00000076 cmp bh, ah 0x00000078 sub edi, 40h 0x0000007b cmp dx, cx 0x0000007e mov eax, dword ptr [edi+000000C0h] 0x00000084 test edx, 195E9F91h 0x0000008a mov dword ptr [edi+00000814h], eax 0x00000090 pushad 0x00000091 mov eax, 0000009Ch 0x00000096 rdtsc
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040DEE rdtsc 0_2_05040DEE
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\funngycry.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: funngycry.exe, 00000000.00000002.241094447.0000000005040000.00000040.00000001.sdmp, funngycry.exe, 00000002.00000002.283597388.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: funngycry.exe, 00000000.00000002.241104947.000000000509A000.00000004.00000001.sdmp, funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: funngycry.exe, 00000002.00000002.284046863.00000000022EA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: C:\Users\user\Desktop\funngycry.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040DEE NtSetInformationThread 000000FE,00000011,00000000,00000000,00000040,05040293,00000000,00000000,00000000,00000000,?,00000000,00000000,05042F3D,?,?0_2_05040DEE
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\funngycry.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040DEE rdtsc 0_2_05040DEE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_0504212E LdrInitializeThunk,0_2_0504212E
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05040DEE mov eax, dword ptr fs:[00000030h]0_2_05040DEE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050436FE mov eax, dword ptr fs:[00000030h]0_2_050436FE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05043179 mov eax, dword ptr fs:[00000030h]0_2_05043179
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_050413C9 mov eax, dword ptr fs:[00000030h]0_2_050413C9
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05042E46 mov eax, dword ptr fs:[00000030h]0_2_05042E46
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 0_2_05041CD3 mov eax, dword ptr fs:[00000030h]0_2_05041CD3
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005636FE mov eax, dword ptr fs:[00000030h]2_2_005636FE
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_005613C9 mov eax, dword ptr fs:[00000030h]2_2_005613C9
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00562E46 mov eax, dword ptr fs:[00000030h]2_2_00562E46
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00561CD3 mov eax, dword ptr fs:[00000030h]2_2_00561CD3
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00563179 mov eax, dword ptr fs:[00000030h]2_2_00563179
            Source: C:\Users\user\Desktop\funngycry.exeCode function: 2_2_00560DEE mov eax, dword ptr fs:[00000030h]2_2_00560DEE
            Source: C:\Users\user\Desktop\funngycry.exeProcess created: C:\Users\user\Desktop\funngycry.exe 'C:\Users\user\Desktop\funngycry.exe' Jump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AzorultShow sources
            Source: Yara matchFile source: 00000002.00000003.279604085.000000001F7F8000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.280311604.000000001F81C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.283370350.000000001F7DC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.280346422.000000001F4A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 7040, type: MEMORY
            Yara detected LokibotShow sources
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 7040, type: MEMORY
            Found many strings related to Crypto-Wallets (likely being stolen)Show sources
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: >%appdata%\Electrum-LTC\wallets\lectrum\wallets\\*a\ta\ Dataekyb3d8bbwe\AC\MicrosoftEdge\Cookies\\*.cookiextie
            Source: funngycry.exe, 00000002.00000002.283756387.0000000000887000.00000004.00000020.sdmpString found in binary or memory: `C:\Users\user\AppData\Roaming\Electrum\wallets\datFw
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: fC:\Users\user\AppData\Roaming\Jaxx\Local Storage\\
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*z
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: fC:\Users\user\AppData\Roaming\Jaxx\Local Storage\\
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: hotelavlokan.comA%\Ethereum\keystore\,
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*z
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: hotelavlokan.comA%\Ethereum\keystore\,
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: hotelavlokan.comA%\Ethereum\keystore\,
            Source: funngycry.exe, 00000002.00000002.283822040.00000000008E2000.00000004.00000020.sdmpString found in binary or memory: >%appdata%\Electrum-LTC\wallets\lectrum\wallets\\*a\ta\ Dataekyb3d8bbwe\AC\MicrosoftEdge\Cookies\\*.cookiextie
            Tries to harvest and steal Bitcoin Wallet informationShow sources
            Source: C:\Users\user\Desktop\funngycry.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\funngycry.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xmlJump to behavior
            Tries to steal Crypto Currency WalletsShow sources
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Jump to behavior
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
            Source: C:\Users\user\Desktop\funngycry.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\funngycry.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

            Remote Access Functionality:

            barindex
            Yara detected LokibotShow sources
            Source: Yara matchFile source: Process Memory Space: funngycry.exe PID: 7040, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion21OS Credential Dumping1Security Software Discovery421Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11Credentials in Registry2Virtualization/Sandbox Evasion21Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Credentials In Files1Process Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious