Loading ...

Play interactive tourEdit tour

Analysis Report YF4dF4w2Cr

Overview

General Information

Sample Name:YF4dF4w2Cr (renamed file extension from none to exe)
Analysis ID:376398
MD5:f4d1470af3a7d82560b38558b132d468
SHA1:0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
SHA256:6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • YF4dF4w2Cr.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\YF4dF4w2Cr.exe' MD5: F4D1470AF3A7D82560B38558B132D468)
    • YF4dF4w2Cr.exe (PID: 6856 cmdline: --5c8d8ab7 MD5: F4D1470AF3A7D82560B38558B132D468)
  • fwdrrebrand.exe (PID: 6912 cmdline: C:\Windows\SysWOW64\fwdrrebrand.exe MD5: F4D1470AF3A7D82560B38558B132D468)
    • fwdrrebrand.exe (PID: 6928 cmdline: --1cbc15eb MD5: F4D1470AF3A7D82560B38558B132D468)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 07 E8 00 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 FC 26 E8 00 A3 F8 26 E8 00 39 05 90 F3 E7 00 74 18 40 A3 F8 26 E8 00 83 3C C5 90 F3 ...
    00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 07 3F 02 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 FC 26 3F 02 A3 F8 26 3F 02 39 05 90 F3 3E 02 74 18 40 A3 F8 26 3F 02 83 3C C5 90 F3 ...
      00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.YF4dF4w2Cr.exe.22f053f.2.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        1.2.YF4dF4w2Cr.exe.22f053f.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.YF4dF4w2Cr.exe.22f053f.2.unpackEmotetEmotet Payloadkevoreilly
          • 0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 07 41 00 85 C0
          • 0x48d4:$snippet6: 33 C0 21 05 FC 26 41 00 A3 F8 26 41 00 39 05 90 F3 40 00 74 18 40 A3 F8 26 41 00 83 3C C5 90 F3 ...
          2.2.fwdrrebrand.exe.e4053f.2.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          Click to see the 23 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: YF4dF4w2Cr.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: YF4dF4w2Cr.exeMetadefender: Detection: 41%Perma Link
          Source: YF4dF4w2Cr.exeReversingLabs: Detection: 86%
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.fwdrrebrand.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: 0.0.YF4dF4w2Cr.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.YF4dF4w2Cr.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.0.fwdrrebrand.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_023E207B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_023E215A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F11 CryptExportKey,1_2_023E1F11
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_023E1F75
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F56 CryptGetHashParam,1_2_023E1F56
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_023E1FFC
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E7207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,3_2_00E7207B
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,3_2_00E71FFC
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00E71F75
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F11 CryptExportKey,3_2_00E71F11
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F56 CryptGetHashParam,3_2_00E71F56
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E7215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,3_2_00E7215A
          Source: YF4dF4w2Cr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,0_2_0042E202
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_00429112
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,1_2_0042E202
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_00429112
          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 200.55.168.82:20
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 70.32.94.58:8080
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 213.138.100.98:8080
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 144.76.62.10:8080
          Source: global trafficTCP traffic: 192.168.2.4:49752 -> 203.99.188.203:990
          Source: global trafficTCP traffic: 192.168.2.4:49753 -> 201.196.15.79:990
          Source: Joe Sandbox ViewIP Address: 190.117.206.153 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.187.137
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.187.137
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.187.137
          Source: unknownTCP traffic detected without corresponding DNS query: 200.55.168.82
          Source: unknownTCP traffic detected without corresponding DNS query: 200.55.168.82
          Source: unknownTCP traffic detected without corresponding DNS query: 200.55.168.82
          Source: unknownTCP traffic detected without corresponding DNS query: 70.32.94.58
          Source: unknownTCP traffic detected without corresponding DNS query: 70.32.94.58
          Source: unknownTCP traffic detected without corresponding DNS query: 70.32.94.58
          Source: unknownTCP traffic detected without corresponding DNS query: 213.138.100.98
          Source: unknownTCP traffic detected without corresponding DNS query: 213.138.100.98
          Source: unknownTCP traffic detected without corresponding DNS query: 213.138.100.98
          Source: unknownTCP traffic detected without corresponding DNS query: 144.76.62.10
          Source: unknownTCP traffic detected without corresponding DNS query: 144.76.62.10
          Source: unknownTCP traffic detected without corresponding DNS query: 144.76.62.10
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.188.203
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.188.203
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.188.203
          Source: unknownTCP traffic detected without corresponding DNS query: 201.196.15.79
          Source: unknownTCP traffic detected without corresponding DNS query: 201.196.15.79
          Source: unknownTCP traffic detected without corresponding DNS query: 201.196.15.79
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71383 InternetReadFile,3_2_00E71383
          Source: fwdrrebrand.exe, 00000003.00000002.911061816.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://201.196.15.79/pnp/splash/loadan/merge/
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: YF4dF4w2Cr.exe, 00000000.00000002.646439364.00000000007DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00424B11 GetKeyState,GetKeyState,GetKeyState,0_2_00424B11
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,0_2_0042EEC9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0040F3F3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_0040963B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00421E22
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00424B11 GetKeyState,GetKeyState,GetKeyState,1_2_00424B11
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,1_2_0042EEC9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0040F3F3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,1_2_0040963B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_00421E22

          E-Banking Fraud:

          barindex
          Detected Emotet e-Banking trojanShow sources
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED2291_2_023ED229
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E7D2293_2_00E7D229
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_023E1F75
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00E71F75

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED3F5 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_023ED3F5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1D2B CreateProcessAsUserW,CreateProcessW,1_2_023E1D2B
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile deleted: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004110C40_2_004110C4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004034700_2_00403470
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004322860_2_00432286
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004445DA0_2_004445DA
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043A5F00_2_0043A5F0
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043265A0_2_0043265A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043C6990_2_0043C699
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004468E10_2_004468E1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00432A660_2_00432A66
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00444B1E0_2_00444B1E
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00432E860_2_00432E86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004450620_2_00445062
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042B39D0_2_0042B39D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0044575A0_2_0044575A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00431DB10_2_00431DB1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F28C10_2_022F28C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F30E80_2_022F30E8
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F30E40_2_022F30E4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_023137A50_2_023137A5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_023137A90_2_023137A9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_02312F820_2_02312F82
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004110C41_2_004110C4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004034701_2_00403470
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004322861_2_00432286
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004445DA1_2_004445DA
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043A5F01_2_0043A5F0
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043265A1_2_0043265A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043C6991_2_0043C699
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004468E11_2_004468E1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00432A661_2_00432A66
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00444B1E1_2_00444B1E
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00432E861_2_00432E86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004450621_2_00445062
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042B39D1_2_0042B39D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0044575A1_2_0044575A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00431DB11_2_00431DB1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F28C11_2_022F28C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F30E81_2_022F30E8
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F30E41_2_022F30E4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E37A91_2_023E37A9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E37A51_2_023E37A5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E2F821_2_023E2F82
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E430E42_2_00E430E4
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E430E82_2_00E430E8
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E428C12_2_00E428C1
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E537A52_2_00E537A5
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E537A92_2_00E537A9
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E52F822_2_00E52F82
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E430E43_2_00E430E4
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E430E83_2_00E430E8
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E428C13_2_00E428C1
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E737A53_2_00E737A5
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E737A93_2_00E737A9
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E72F823_2_00E72F82
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431A9B appears 430 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 004015A0 appears 56 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00439FE5 appears 52 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431818 appears 142 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431ACE appears 50 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00401170 appears 34 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 0041F363 appears 42 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431B04 appears 52 times
          Source: YF4dF4w2Cr.exe, 00000000.00000002.646492673.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659892079.0000000002710000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659567664.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmpBinary or memory string: originalfilename vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: classification engineClassification label: mal92.bank.troj.evad.winEXE@6/0@0/8
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0041D7DD __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0041D7DD
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_023ED4C5
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00E7D4C5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_02311943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_02311943
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042B11B __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,CoInitializeEx,CoCreateInstance,0_2_0042B11B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00402500 FindResourceA,WideCharToMultiByte,WideCharToMultiByte,0_2_00402500
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_023ED4C5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\ID1A8F11D
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeMutant created: \BaseNamedObjects\Global\ID1A8F11D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MD1A8F11D
          Source: YF4dF4w2Cr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: YF4dF4w2Cr.exeMetadefender: Detection: 41%
          Source: YF4dF4w2Cr.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-44293
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
          Source: unknownProcess created: C:\Users\user\Desktop\YF4dF4w2Cr.exe 'C:\Users\user\Desktop\YF4dF4w2Cr.exe'
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7
          Source: unknownProcess created: C:\Windows\SysWOW64\fwdrrebrand.exe C:\Windows\SysWOW64\fwdrrebrand.exe
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15eb
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7Jump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15ebJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_CURSOR
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_BITMAP
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_ICON
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_MENU
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_DIALOG
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_STRING
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_ACCELERATOR
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_GROUP_ICON
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00442426 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00442426
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043185D push ecx; ret 0_2_00431870
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00431B73 push ecx; ret 0_2_00431B86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022FE932 pushad ; ret 0_2_022FE933
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022FE9EA pushad ; iretd 0_2_022FE9ED
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043185D push ecx; ret 1_2_00431870
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00431B73 push ecx; ret 1_2_00431B86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022FE932 pushad ; ret 1_2_022FE933
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022FE9EA pushad ; iretd 1_2_022FE9ED
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E4E9EA pushad ; iretd 2_2_00E4E9ED
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E4E932 pushad ; ret 2_2_00E4E933
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E4E9EA pushad ; iretd 3_2_00E4E9ED
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E4E932 pushad ; ret 3_2_00E4E933

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeExecutable created and started: C:\Windows\SysWOW64\fwdrrebrand.exeJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exePE file moved: C:\Windows\SysWOW64\fwdrrebrand.exeJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_023ED4C5

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile opened: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,0_2_0040C49C
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,0_2_00418BD1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00409E32 IsWindowVisible,IsIconic,0_2_00409E32
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_00427FD5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,1_2_0040C49C
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,1_2_00418BD1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00409E32 IsWindowVisible,IsIconic,1_2_00409E32
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_00427FD5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (may stop execution after checking mutex)Show sources
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-44324
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
          Source: