Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 3.2.picturerus.exe.e1053f.2.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 4.2.picturerus.exe.60053f.1.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0219207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, |
1_2_0219207B |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0219215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, |
1_2_0219215A |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02191F11 CryptExportKey, |
1_2_02191F11 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02191F56 CryptGetHashParam, |
1_2_02191F56 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, |
1_2_02191F75 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02191FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, |
1_2_02191FFC |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, |
4_2_00ED207B |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, |
4_2_00ED1FFC |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, |
4_2_00ED1F75 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED1F11 CryptExportKey, |
4_2_00ED1F11 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, |
4_2_00ED215A |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED1F56 CryptGetHashParam, |
4_2_00ED1F56 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, |
0_2_0043A377 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, |
0_2_0043AE3F |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, |
1_2_0043A377 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, |
1_2_0043AE3F |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.33.54.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.33.54.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.33.54.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 209.141.41.136 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 209.141.41.136 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 209.141.41.136 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.236.246.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.236.246.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.236.246.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.199.114.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.199.114.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.199.114.69 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 152.89.236.214 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 152.89.236.214 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 152.89.236.214 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.106.136.232 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.106.136.232 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.106.136.232 |
Source: picturerus.exe, 00000004.00000002.487408684.0000000000199000.00000004.00000001.sdmp |
String found in binary or memory: http://178.210.51.222/attrib/glitch/add/merge/ |
Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: svchost.exe, 00000005.00000002.487921047.000001F62F2A0000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: svchost.exe, 00000005.00000002.491346023.000001F634C00000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp |
String found in binary or memory: http://www.bingmapsportal.com |
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp |
String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp |
String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp |
String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp |
String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp |
String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000009.00000002.305368398.0000023F57C64000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 00000009.00000003.305042012.0000023F57C3A000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, |
0_2_0043814C |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState, |
0_2_0044C334 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, |
0_2_004450BA |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, |
0_2_0042F3FF |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, |
0_2_00449796 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, |
0_2_00433B4D |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState, |
1_2_0043814C |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState, |
1_2_0044C334 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, |
1_2_004450BA |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, |
1_2_0042F3FF |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, |
1_2_00449796 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, |
1_2_00433B4D |
Source: Yara match |
File source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE |
Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet Author: ReversingLabs |
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet Author: ReversingLabs |
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet Author: ReversingLabs |
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet Author: ReversingLabs |
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0041CB04 |
0_2_0041CB04 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004351C1 |
0_2_004351C1 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00419288 |
0_2_00419288 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0041CB04 |
1_2_0041CB04 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004351C1 |
1_2_004351C1 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00419288 |
1_2_00419288 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_021828C1 |
1_2_021828C1 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_021830E8 |
1_2_021830E8 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_021830E4 |
1_2_021830E4 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_021937A9 |
1_2_021937A9 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_021937A5 |
1_2_021937A5 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02192F82 |
1_2_02192F82 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E130E4 |
3_2_00E130E4 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E130E8 |
3_2_00E130E8 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E128C1 |
3_2_00E128C1 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E237A5 |
3_2_00E237A5 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E237A9 |
3_2_00E237A9 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E22F82 |
3_2_00E22F82 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_006030E4 |
4_2_006030E4 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_006030E8 |
4_2_006030E8 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_006028C1 |
4_2_006028C1 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED37A9 |
4_2_00ED37A9 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED37A5 |
4_2_00ED37A5 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED2F82 |
4_2_00ED2F82 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 00401AB4 appears 46 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 004373E9 appears 31 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 0041C3B9 appears 57 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 004334D7 appears 64 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 0044D589 appears 86 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 00419937 appears 8618 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 0044FB2C appears 32 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 00419918 appears 483 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 0041923C appears 130 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 0041E3BF appears 79 times |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: String function: 0044D5AF appears 37 times |
|
Source: aEdlObiYav.exe, 00000000.00000002.221382669.0000000002280000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs aEdlObiYav.exe |
Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs aEdlObiYav.exe |
Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs aEdlObiYav.exe |
Source: aEdlObiYav.exe, 00000001.00000002.241858641.0000000002900000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs aEdlObiYav.exe |
Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan |
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan |
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan |
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan |
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/ |
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, |
1_2_0219C3B7 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, |
4_2_00EDC3B7 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\M765E845E |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\I765E845E |
Source: C:\Windows\SysWOW64\picturerus.exe |
Mutant created: \BaseNamedObjects\Global\I765E845E |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:3896:120:WilError_01 |
Source: unknown |
Process created: C:\Users\user\Desktop\aEdlObiYav.exe 'C:\Users\user\Desktop\aEdlObiYav.exe' |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Process created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\picturerus.exe C:\Windows\SysWOW64\picturerus.exe |
|
Source: C:\Windows\SysWOW64\picturerus.exe |
Process created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
|
Source: unknown |
Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
|
Source: C:\Windows\System32\svchost.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Process created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4 |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Jump to behavior |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00419277 push ecx; ret |
0_2_00419287 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004193A0 push eax; ret |
0_2_004193B4 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004193A0 push eax; ret |
0_2_004193DC |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00419918 push eax; ret |
0_2_00419936 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00419277 push ecx; ret |
1_2_00419287 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004193A0 push eax; ret |
1_2_004193B4 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004193A0 push eax; ret |
1_2_004193DC |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00419918 push eax; ret |
1_2_00419936 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0218E190 push BB276B01h; ret |
1_2_0218E1C2 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E1E190 push BB276B01h; ret |
3_2_00E1E1C2 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_0060E190 push BB276B01h; ret |
4_2_0060E1C2 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, |
0_2_004121E0 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, |
0_2_0043ED39 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, |
0_2_00412F6C |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, |
0_2_004415C2 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00449839 IsWindowVisible,IsIconic, |
0_2_00449839 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, |
1_2_004121E0 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent, |
1_2_0043ED39 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect, |
1_2_00412F6C |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, |
1_2_004415C2 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00449839 IsWindowVisible,IsIconic, |
1_2_00449839 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, |
1_2_0219C11B |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, |
4_2_00EDC11B |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, |
0_2_0043A377 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, |
0_2_0043AE3F |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, |
1_2_0043A377 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose, |
1_2_0043AE3F |
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: svchost.exe, 00000005.00000002.490947713.000001F634A62000.00000004.00000001.sdmp |
Binary or memory string: (@Hyper-V RAW |
Source: svchost.exe, 00000005.00000002.490862849.000001F634A4C000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: svchost.exe, 00000005.00000002.487748266.000001F62F229000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW`C |
Source: svchost.exe, 00000007.00000002.488350000.000001D9ACE64000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.487724636.00000157C782A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00401B93 mov eax, dword ptr fs:[00000030h] |
0_2_00401B93 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00401BA2 mov eax, dword ptr fs:[00000030h] |
0_2_00401BA2 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h] |
1_2_00401B93 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h] |
1_2_00401BA2 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02180467 mov eax, dword ptr fs:[00000030h] |
1_2_02180467 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02180C0C mov eax, dword ptr fs:[00000030h] |
1_2_02180C0C |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02181743 mov eax, dword ptr fs:[00000030h] |
1_2_02181743 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_021912CD mov eax, dword ptr fs:[00000030h] |
1_2_021912CD |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_02191E04 mov eax, dword ptr fs:[00000030h] |
1_2_02191E04 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E10467 mov eax, dword ptr fs:[00000030h] |
3_2_00E10467 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E10C0C mov eax, dword ptr fs:[00000030h] |
3_2_00E10C0C |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E11743 mov eax, dword ptr fs:[00000030h] |
3_2_00E11743 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E212CD mov eax, dword ptr fs:[00000030h] |
3_2_00E212CD |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 3_2_00E21E04 mov eax, dword ptr fs:[00000030h] |
3_2_00E21E04 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00600467 mov eax, dword ptr fs:[00000030h] |
4_2_00600467 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00600C0C mov eax, dword ptr fs:[00000030h] |
4_2_00600C0C |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00601743 mov eax, dword ptr fs:[00000030h] |
4_2_00601743 |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED12CD mov eax, dword ptr fs:[00000030h] |
4_2_00ED12CD |
Source: C:\Windows\SysWOW64\picturerus.exe |
Code function: 4_2_00ED1E04 mov eax, dword ptr fs:[00000030h] |
4_2_00ED1E04 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00420406 SetUnhandledExceptionFilter, |
0_2_00420406 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_0042041A SetUnhandledExceptionFilter, |
0_2_0042041A |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00420406 SetUnhandledExceptionFilter, |
1_2_00420406 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_0042041A SetUnhandledExceptionFilter, |
1_2_0042041A |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA,_strncpy, |
0_2_00426F2A |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetThreadLocale,GetLocaleInfoA,GetACP, |
0_2_00401069 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: _strlen,EnumSystemLocalesA, |
0_2_00427449 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: _strlen,_strlen,EnumSystemLocalesA, |
0_2_00427480 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, |
0_2_0042755B |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: _strlen,EnumSystemLocalesA, |
0_2_00427506 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA, |
0_2_00427749 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, |
0_2_0044D759 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, |
0_2_004299EE |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA,MultiByteToWideChar, |
0_2_00429AAA |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, |
0_2_00429B1E |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoW,WideCharToMultiByte, |
0_2_00429BD1 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA,_strncpy, |
1_2_00426F2A |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetThreadLocale,GetLocaleInfoA,GetACP, |
1_2_00401069 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: _strlen,EnumSystemLocalesA, |
1_2_00427449 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: _strlen,_strlen,EnumSystemLocalesA, |
1_2_00427480 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, |
1_2_0042755B |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: _strlen,EnumSystemLocalesA, |
1_2_00427506 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA, |
1_2_00427749 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, |
1_2_0044D759 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, |
1_2_004299EE |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoA,MultiByteToWideChar, |
1_2_00429AAA |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, |
1_2_00429B1E |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: GetLocaleInfoW,WideCharToMultiByte, |
1_2_00429BD1 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\picturerus.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: aEdlObiYav.exe, 00000000.00000002.221218933.00000000004B0000.00000004.00000020.sdmp |
Binary or memory string: Kav.exe |
Source: svchost.exe, 0000000B.00000002.487696660.0000020979C3D000.00000004.00000001.sdmp |
Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: svchost.exe, 0000000B.00000002.487727705.0000020979D02000.00000004.00000001.sdmp |
Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct' |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct |
Source: Yara match |
File source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, |
0_2_004514EB |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 0_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, |
0_2_00451B05 |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree, |
1_2_004514EB |
Source: C:\Users\user\Desktop\aEdlObiYav.exe |
Code function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, |
1_2_00451B05 |