Loading ...

Play interactive tourEdit tour

Analysis Report Preview.exe

Overview

General Information

Sample Name:Preview.exe
Analysis ID:289653
MD5:8e7b76532c0bb541c727861f74a0b618
SHA1:ef0d327aa5969f8ad65ddb7f605d645e3270e64a
SHA256:9f7e4c52af1b8afcb06ca88cc726d1e4681b0f87683b04d175bb70be4363d345
Tags:exe

Most interesting Screenshot:

Detection

Bazar
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Bazar Backdoor
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Preview.exe (PID: 4848 cmdline: 'C:\Users\user\Desktop\Preview.exe' MD5: 8E7B76532C0BB541C727861F74A0B618)
    • WerFault.exe (PID: 6116 cmdline: C:\Windows\system32\WerFault.exe -u -p 4848 -s 2200 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Preview.exe PID: 4848JoeSecurity_BazarYara detected Bazar BackdoorJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140001764 CryptAcquireContextA,CryptAcquireContextA,0_2_0000000140001764
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000E2C7 CryptAcquireContextW,CryptGetHashParam,CryptGetHashParam,0_2_000000018000E2C7
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180006915 CryptStringToBinaryA,CryptStringToBinaryA,0_2_0000000180006915
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000ACD8 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,0_2_000000014000ACD8
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180026468 FindFirstFileExA,0_2_0000000180026468

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 45.143.136.209:443 -> 192.168.2.5:49732
    Source: Joe Sandbox ViewASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: unknownTCP traffic detected without corresponding DNS query: 45.143.136.209
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000C1B0 InternetQueryOptionA,InternetConnectA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpSendRequestA,HttpQueryInfoA,InternetOpenA,0_2_000000018000C1B0
    Source: Preview.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
    Source: Preview.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
    Source: Preview.exe, 00000000.00000002.319306392.00000000006D0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: Preview.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: Preview.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
    Source: Preview.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: Preview.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
    Source: Preview.exe, 00000000.00000002.327245737.0000000004EA0000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: Preview.exe, 00000000.00000002.319151233.0000000000626000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/end
    Source: Preview.exeString found in binary or memory: http://ocsp.digicert.com0H
    Source: Preview.exeString found in binary or memory: http://ocsp.digicert.com0I
    Source: Preview.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
    Source: Preview.exe, 00000000.00000002.319151233.0000000000626000.00000004.00000020.sdmpString found in binary or memory: https://45.143.136.209/
    Source: Preview.exe, 00000000.00000002.319151233.0000000000626000.00000004.00000020.sdmpString found in binary or memory: https://45.143.136.209/api/v202
    Source: Preview.exe, 00000000.00000002.319151233.0000000000626000.00000004.00000020.sdmpString found in binary or memory: https://45.143.136.209/api/v2021
    Source: Preview.exe, 00000000.00000002.327213233.0000000004E90000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209/api/v202X
    Source: Preview.exe, 00000000.00000002.327213233.0000000004E90000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209/api/v204
    Source: Preview.exe, 00000000.00000002.327213233.0000000004E90000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209/api/v2040
    Source: Preview.exe, 00000000.00000002.327372843.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209/api/v2044
    Source: Preview.exe, 00000000.00000002.327372843.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209/api/v204;
    Source: Preview.exe, 00000000.00000002.327372843.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209/api/v204exe
    Source: Preview.exe, 00000000.00000002.327112445.0000000004B6B000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209:443/api/v202
    Source: Preview.exe, 00000000.00000002.327439994.0000000004F80000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209:443/api/v202LOCALAPPDATA=C:
    Source: Preview.exe, 00000000.00000002.327112445.0000000004B6B000.00000004.00000001.sdmpString found in binary or memory: https://45.143.136.209:443/api/v204
    Source: Preview.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: C:\Users\user\Desktop\Preview.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018001B7A8 CreateProcessA,NtReadVirtualMemory,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtSetContextThread,NtResumeThread,VirtualAllocEx,0_2_000000018001B7A8
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001400030640_2_0000000140003064
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000146C0_2_000000014000146C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140001D240_2_0000000140001D24
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001400084500_2_0000000140008450
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001400060AC0_2_00000001400060AC
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000ACD80_2_000000014000ACD8
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000FD0C0_2_000000014000FD0C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000A1200_2_000000014000A120
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001400122480_2_0000000140012248
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000DA600_2_000000014000DA60
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000DE8C0_2_000000014000DE8C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000971C0_2_000000014000971C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000E81D0_2_000000018000E81D
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000DC6C0_2_000000018000DC6C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000B10C0_2_000000018000B10C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180015D400_2_0000000180015D40
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000A5500_2_000000018000A550
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000C1B00_2_000000018000C1B0
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800142B30_2_00000001800142B3
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018000E2C70_2_000000018000E2C7
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180008FDB0_2_0000000180008FDB
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018001ABE40_2_000000018001ABE4
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018001C4140_2_000000018001C414
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180009C1C0_2_0000000180009C1C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180023C7C0_2_0000000180023C7C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800010C40_2_00000001800010C4
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180001CC90_2_0000000180001CC9
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800055560_2_0000000180005556
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800045570_2_0000000180004557
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180007D580_2_0000000180007D58
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800106220_2_0000000180010622
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800256400_2_0000000180025640
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018002625C0_2_000000018002625C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180002E670_2_0000000180002E67
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018002A2980_2_000000018002A298
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018001B7A80_2_000000018001B7A8
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000018001E7A70_2_000000018001E7A7
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_044700400_2_04470040
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0448EC2D0_2_0448EC2D
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447C4350_2_0447C435
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_044738DD0_2_044738DD
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_044744E20_2_044744E2
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_044804850_2_04480485
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04477D6F0_2_04477D6F
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447CD690_2_0447CD69
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447A5710_2_0447A571
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04476D700_2_04476D70
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447D9250_2_0447D925
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04482E3B0_2_04482E3B
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04486ACC0_2_04486ACC
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0448DFC10_2_0448DFC1
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04490FC00_2_04490FC0
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0448D3FD0_2_0448D3FD
    Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4848 -s 2200
    Source: Preview.exeStatic PE information: invalid certificate
    Source: Preview.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Preview.exe, 00000000.00000002.327501225.00000000050B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs Preview.exe
    Source: Preview.exe, 00000000.00000002.327479127.00000000050A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs Preview.exe
    Source: Preview.exe, 00000000.00000002.319564841.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs Preview.exe
    Source: Preview.exe, 00000000.00000002.320259188.0000000002DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLLj% vs Preview.exe
    Source: Preview.exe, 00000000.00000002.327462967.0000000004F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Preview.exe
    Source: Preview.exe, 00000000.00000002.327168570.0000000004D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Preview.exe
    Source: C:\Windows\System32\WerFault.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
    Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
    Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
    Source: classification engineClassification label: mal64.troj.evad.winEXE@2/6@0/1
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000125C CoCreateInstance,SysAllocString,SysFreeString,0_2_000000014000125C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140001A98 FindResourceA,LoadResource,SizeofResource,0_2_0000000140001A98
    Source: C:\Users\user\Desktop\Preview.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeMutant created: \Sessions\1\BaseNamedObjects\ld_201127
    Source: C:\Users\user\Desktop\Preview.exeMutant created: \Sessions\1\BaseNamedObjects\ms213716
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4848
    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD85D.tmpJump to behavior
    Source: Preview.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Preview.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Preview.exe 'C:\Users\user\Desktop\Preview.exe'
    Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4848 -s 2200
    Source: C:\Users\user\Desktop\Preview.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: Preview.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: Preview.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: 32.pdb source: WerFault.exe, 0000000D.00000003.307240669.0000023B1279F000.00000004.00000001.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ktmw32.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: msasn1.pdbe8. source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.307397542.0000023B150A2000.00000004.00000001.sdmp
    Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: cryptnet.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdbc8$ source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.307654708.0000023B15090000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windowses.pdb source: WerFault.exe, 0000000D.00000003.307240669.0000023B1279F000.00000004.00000001.sdmp
    Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000D.00000003.303722805.0000023B14B14000.00000004.00000001.sdmp
    Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdb< source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000D.00000003.307470903.0000023B15091000.00000004.00000040.sdmp
    Source: Binary string: win32u.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: UxTheme.pdb6 source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000D.00000003.303339630.0000023B14571000.00000004.00000001.sdmp
    Source: Binary string: imm32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows32.pdb source: WerFault.exe, 0000000D.00000003.307240669.0000023B1279F000.00000004.00000001.sdmp
    Source: Binary string: comdlg32.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: mswsock.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ElevationSample.pdb8 source: WerFault.exe, 0000000D.00000003.307470903.0000023B15091000.00000004.00000040.sdmp
    Source: Binary string: webio.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: WinTypes.pdb0 source: WerFault.exe, 0000000D.00000003.303785773.0000023B1465A000.00000004.00000001.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: es.pdb source: WerFault.exe, 0000000D.00000003.307240669.0000023B1279F000.00000004.00000001.sdmp
    Source: Binary string: ElevationSample.pdb source: WerFault.exe, 0000000D.00000003.307470903.0000023B15091000.00000004.00000040.sdmp
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.307654708.0000023B15090000.00000004.00000040.sdmp
    Source: Binary string: msvcp_win.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: dpapi.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000D.00000003.307470903.0000023B15091000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: netutils.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000D.00000003.303349206.0000023B14577000.00000004.00000001.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: wininet.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: apphelp.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb1 source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.307654708.0000023B15090000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\Izidu\Desktop\2019\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\com\uac\elevationsample\x64\Release\ElevationSample.pdb source: Preview.exe
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: comdlg32.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: sspicli.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: userenv.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000000D.00000003.307397542.0000023B150A2000.00000004.00000001.sdmp
    Source: Binary string: rsaenh.pdb? source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: cabinet.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: fastprox.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: msctf.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: user32.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: msctf.pdb% source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.307654708.0000023B15090000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdbn8! source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: netapi32.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.307429605.0000023B15095000.00000004.00000040.sdmp
    Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000D.00000003.303339630.0000023B14571000.00000004.00000001.sdmp
    Source: Binary string: ktmw32.pdbi8" source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: cfgmgr32.pdb: source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: ncryptprov.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: CoreMessaging.pdbl source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000D.00000003.307673604.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.307443427.0000023B1509A000.00000004.00000040.sdmp
    Source: Preview.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: Preview.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: Preview.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: Preview.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: Preview.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180015D40 DispatchMessageA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0000000180015D40
    Source: Preview.exeStatic PE information: section name: _RDATA
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447644C push edi; ret 0_2_0447644E
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04476410 push edi; ret 0_2_04476412
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447654B push edi; ret 0_2_0447654D
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04475906 push edi; ret 0_2_04475908
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0447593A push edi; ret 0_2_0447593C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_04476587 push edi; ret 0_2_04476589

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (36).png
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180015D40 DispatchMessageA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0000000180015D40
    Source: C:\Users\user\Desktop\Preview.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
    Source: C:\Windows\System32\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000ACD8 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,0_2_000000014000ACD8
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180026468 FindFirstFileExA,0_2_0000000180026468
    Source: WerFault.exe, 0000000D.00000003.316302368.0000023B1283E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW01
    Source: WerFault.exe, 0000000D.00000002.317636740.0000023B151B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: WerFault.exe, 0000000D.00000002.317202038.0000023B14597000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW-0000
    Source: Preview.exe, 00000000.00000002.319151233.0000000000626000.00000004.00000020.sdmp, WerFault.exe, 0000000D.00000002.317202038.0000023B14597000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: WerFault.exe, 0000000D.00000002.317636740.0000023B151B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: WerFault.exe, 0000000D.00000002.317636740.0000023B151B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: WerFault.exe, 0000000D.00000002.317636740.0000023B151B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Windows\System32\WerFault.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140003CCC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140003CCC
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800205E0 InitializeCriticalSectionEx,GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00000001800205E0
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000180015D40 DispatchMessageA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0000000180015D40
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_000000014000D084 GetProcessHeap,0_2_000000014000D084
    Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001400034A0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00000001400034A0
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140003CCC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140003CCC
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140003644 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0000000140003644
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140003EB0 SetUnhandledExceptionFilter,0_2_0000000140003EB0
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140008B8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000000140008B8C
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800251A8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00000001800251A8
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800206D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00000001800206D0
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_00000001800253A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00000001800253A4
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140011D70 cpuid 0_2_0000000140011D70
    Source: C:\Users\user\Desktop\Preview.exeCode function: DispatchMessageA,MultiByteToWideChar,WSAStartup,MultiByteToWideChar,CreateMutexExA,GetLocaleInfoA,GetLocaleInfoA,wnsprintfA,MultiByteToWideChar,CreateMutexExA,GetCommandLineA,DeleteFileA,0_2_00000001800142B3
    Source: C:\Users\user\Desktop\Preview.exeCode function: 0_2_0000000140003BB0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000140003BB0
    Source: C:\Users\user\Desktop\Preview.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Preview.exe, 00000000.00000002.319151233.0000000000626000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Users\user\Desktop\Preview.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Bazar BackdoorShow sources
    Source: Yara matchFile source: Process Memory Space: Preview.exe PID: 4848, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected Bazar BackdoorShow sources
    Source: Yara matchFile source: Process Memory Space: Preview.exe PID: 4848, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection1Masquerading11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsNative API1Application Shimming1DLL Side-Loading1Modify Registry1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Virtualization/Sandbox Evasion2Security Account ManagerSecurity Software Discovery71SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery33Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet