Loading ...

Play interactive tourEdit tour

Analysis Report 9nZ3r5ZN45

Overview

General Information

Sample Name:9nZ3r5ZN45 (renamed file extension from none to exe)
Analysis ID:377823
MD5:910fe72c4f1bd5a451561f732d94a8b8
SHA1:a93ebdd16c5862b178d6e5c58d3e074df772a021
SHA256:6beb4a5bcbdaf33f697eea6a4f7f2e9704cc88c20c265d0ce42287d930d06345
Infos:

Most interesting Screenshot:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Injects files into Windows application
Sigma detected: Executables Started in Suspicious Folder
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Starts Microsoft Word (often done to prevent that the user detects that something wrong)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 9nZ3r5ZN45.exe (PID: 6004 cmdline: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' MD5: 910FE72C4F1BD5A451561F732D94A8B8)
    • LibHelper.exe (PID: 6076 cmdline: 'C:\Windows\Help\Windows\LibHelper.exe' MD5: 813B19969C3B67C6BB1369433142021A)
    • WINWORD.EXE (PID: 5572 cmdline: 'C:\Windows\Help\Windows\WINWORD.EXE' MD5: 15E52F52ED2B8ED122FAE897119687C4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Help\Windows\wwlib.dllSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x53890:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0

Sigma Overview

System Summary:

barindex
Sigma detected: Executables Started in Suspicious FolderShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Help\Windows\LibHelper.exe, NewProcessName: C:\Windows\Help\Windows\LibHelper.exe, OriginalFileName: C:\Windows\Help\Windows\LibHelper.exe, ParentCommandLine: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' , ParentImage: C:\Users\user\Desktop\9nZ3r5ZN45.exe, ParentProcessId: 6004, ProcessCommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , ProcessId: 6076

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\Help\Windows\wwlib.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Windows\Help\Windows\LibHelper.exeReversingLabs: Detection: 16%
Source: C:\Windows\Help\Windows\wwlib.dllReversingLabs: Detection: 16%
Multi AV Scanner detection for submitted fileShow sources
Source: 9nZ3r5ZN45.exeVirustotal: Detection: 50%Perma Link
Source: 9nZ3r5ZN45.exeReversingLabs: Detection: 25%
Source: 2.2.WINWORD.EXE.6d860000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 9nZ3r5ZN45.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Windows\Help\Windows\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior
Source: 9nZ3r5ZN45.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe
Source: Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr
Source: Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source: Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0083A383
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0084B014
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0085A02E FindFirstFileExA,0_2_0085A02E
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01075746 FindFirstFileExW,1_2_01075746
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D868875 FindFirstFileExW,2_2_6D868875
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03039CCD FindFirstFileExW,2_2_03039CCD
Source: WINWORD.EXE, 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmpString found in binary or memory: http://%s%08x.txtc:
Source: WINWORD.EXE, 00000002.00000002.462222699.000000000164A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008370B9: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_008370B9
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile deleted: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008462E00_2_008462E0
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008384580_2_00838458
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0085C1000_2_0085C100
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008501130_2_00850113
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083320E0_2_0083320E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084F3CA0_2_0084F3CA
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008434460_2_00843446
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0085C5AE0_2_0085C5AE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083F5FB0_2_0083F5FB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083E5460_2_0083E546
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008505480_2_00850548
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008606A40_2_008606A4
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008436C10_2_008436C1
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008467150_2_00846715
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083277D0_2_0083277D
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084F8C60_2_0084F8C6
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083E9A90_2_0083E9A9
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008439F20_2_008439F2
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008459110_2_00845911
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083DB110_2_0083DB11
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083BB6E0_2_0083BB6E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084FCDE0_2_0084FCDE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00853D1A0_2_00853D1A
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00846D4E0_2_00846D4E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00835EAB0_2_00835EAB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00833FBD0_2_00833FBD
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083DF480_2_0083DF48
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00853F490_2_00853F49
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_0107B4DD1_2_0107B4DD
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D86E6012_2_6D86E601
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03058BD02_2_03058BD0
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303F81C2_2_0303F81C
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303C0D02_2_0303C0D0
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0306F6312_2_0306F631
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303F6FC2_2_0303F6FC
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303C5682_2_0303C568
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_030415A02_2_030415A0
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_030314062_2_03031406
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_030354BB2_2_030354BB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: String function: 0084E2F0 appears 31 times
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: String function: 0084D8C4 appears 38 times
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: String function: 0084D9C0 appears 51 times
Source: 9nZ3r5ZN45.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9nZ3r5ZN45.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9nZ3r5ZN45.exe, 00000000.00000003.198404389.0000000000666000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewlib.dll2 vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203238414.00000000049F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.202920472.00000000026C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 9nZ3r5ZN45.exe
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeSection loaded: dxgidebug.dllJump to behavior
Source: 9nZ3r5ZN45.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Windows\Help\Windows\wwlib.dll, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-03-09
Source: classification engineClassification label: mal80.evad.winEXE@5/3@0/0
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00836E20 GetLastError,FormatMessageW,0_2_00836E20
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0303107D
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_008496AD FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_008496AD
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303107D RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0303107D
Source: C:\Windows\Help\Windows\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\edgDDEA.tmpJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCommand line argument: sfxname0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCommand line argument: sfxstime0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCommand line argument: STARTDLG0_2_0084CC0E
Source: C:\Windows\Help\Windows\LibHelper.exeCommand line argument: PcHelper1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exeCommand line argument: PCHELPER1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exeCommand line argument: @Cw1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exeCommand line argument: PCHELPER1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exeCommand line argument: PcHelper1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exeCommand line argument: PCHELPER1_2_010710A0
Source: C:\Windows\Help\Windows\WINWORD.EXECommand line argument: wwlib.dll2_2_2FF1159F
Source: C:\Windows\Help\Windows\WINWORD.EXECommand line argument: FMain2_2_2FF1159F
Source: 9nZ3r5ZN45.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 9nZ3r5ZN45.exeVirustotal: Detection: 50%
Source: 9nZ3r5ZN45.exeReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile read: C:\Users\user\Desktop\9nZ3r5ZN45.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\9nZ3r5ZN45.exe 'C:\Users\user\Desktop\9nZ3r5ZN45.exe'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe' Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE' Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 9nZ3r5ZN45.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: 9nZ3r5ZN45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe
Source: Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr
Source: Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source: Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source: 9nZ3r5ZN45.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9nZ3r5ZN45.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9nZ3r5ZN45.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9nZ3r5ZN45.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9nZ3r5ZN45.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109Jump to behavior
Source: wwlib.dll.0.drStatic PE information: section name: .detourc
Source: wwlib.dll.0.drStatic PE information: section name: .detourd
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084E336 push ecx; ret 0_2_0084E349
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084D8C4 push eax; ret 0_2_0084D8E2
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01071F24 push ecx; ret 1_2_01071F36
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_2FF1153C push ecx; ret 2_2_2FF1154F
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D864F04 push ecx; ret 2_2_6D864F16
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0305931B push ecx; ret 2_2_03059319
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03032E74 push ecx; ret 2_2_03032E86

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeExecutable created and started: C:\Windows\Help\Windows\LibHelper.exeJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeExecutable created and started: C:\Windows\Help\Windows\WINWORD.EXEJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\wwlib.dllJump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\LibHelper.exeJump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\WINWORD.EXEJump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\wwlib.dllJump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\LibHelper.exeJump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile created: C:\Windows\Help\Windows\WINWORD.EXEJump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\WINWORD.EXE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\WINWORD.EXEJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D8613512_2_6D861351
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03062842 rdtsc 2_2_03062842
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D8613512_2_6D861351
Source: C:\Windows\Help\Windows\LibHelper.exe TID: 4660Thread sleep time: -260000s >= -30000sJump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560Thread sleep count: 111 > 30Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560Thread sleep time: -111000s >= -30000sJump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXELast function: Thread delayed
Source: C:\Windows\Help\Windows\WINWORD.EXELast function: Thread delayed
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0083A383
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0084B014
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0085A02E FindFirstFileExA,0_2_0085A02E
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01075746 FindFirstFileExW,1_2_01075746
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D868875 FindFirstFileExW,2_2_6D868875
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03039CCD FindFirstFileExW,2_2_03039CCD
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084D3A8 VirtualQuery,GetSystemInfo,0_2_0084D3A8
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03062842 rdtsc 2_2_03062842
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0084E4F5
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_2FF116C4 GetLastError,OutputDebugStringA,2_2_2FF116C4
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00856B19 mov eax, dword ptr fs:[00000030h]0_2_00856B19
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01075478 mov eax, dword ptr fs:[00000030h]1_2_01075478
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01073CED mov eax, dword ptr fs:[00000030h]1_2_01073CED
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D868442 mov eax, dword ptr fs:[00000030h]2_2_6D868442
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D866F25 mov eax, dword ptr fs:[00000030h]2_2_6D866F25
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03051188 mov eax, dword ptr fs:[00000030h]2_2_03051188
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03069722 mov eax, dword ptr fs:[00000030h]2_2_03069722
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03035F74 mov eax, dword ptr fs:[00000030h]2_2_03035F74
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03067E15 mov eax, dword ptr fs:[00000030h]2_2_03067E15
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_030696DE mov eax, dword ptr fs:[00000030h]2_2_030696DE
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03052D21 mov eax, dword ptr fs:[00000030h]2_2_03052D21
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303946E mov eax, dword ptr fs:[00000030h]2_2_0303946E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0085ACFC GetProcessHeap,0_2_0085ACFC
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084E643 SetUnhandledExceptionFilter,0_2_0084E643
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0084E4F5
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084E7FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0084E7FC
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_00857C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00857C57
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01071C8F SetUnhandledExceptionFilter,1_2_01071C8F
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_010719D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_010719D8
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_010736EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_010736EF
Source: C:\Windows\Help\Windows\LibHelper.exeCode function: 1_2_01071AF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01071AF9
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_2FF11B2C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_2FF11B2C
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D86497A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6D86497A
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D8667F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D8667F2
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D864A9B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D864A9B
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03032289 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_03032289
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_0303760D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0303760D
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_03032CAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_03032CAF

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects files into Windows applicationShow sources
Source: C:\Windows\Help\Windows\WINWORD.EXEInjected file: C:\Windows\Help\Windows\wwlib.dll was created by C:\Users\user\Desktop\9nZ3r5ZN45.exeJump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe' Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeProcess created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE' Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXECode function: 2_2_6D8611F0 GetCurrentThread,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingA,MapViewOfFile,CreateThread,GetLastError,FindCloseChangeNotification,UnmapViewOfFile,2_2_6D8611F0
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmpBinary or memory string: Progman
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084E34B cpuid 0_2_0084E34B
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00849E0C
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0084CC0E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exeCode function: 0_2_0083AA39 GetVersionExW,0_2_0083AA39

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Windows Service2Windows Service2Masquerading12Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsService Execution1DLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsShared Modules1Logon Script (Windows)DLL Side-Loading1Process Injection112Security Account ManagerSecurity Software Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery24Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.