Source: Process started | Author: Florian Roth: Data: Command: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Help\Windows\LibHelper.exe, NewProcessName: C:\Windows\Help\Windows\LibHelper.exe, OriginalFileName: C:\Windows\Help\Windows\LibHelper.exe, ParentCommandLine: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' , ParentImage: C:\Users\user\Desktop\9nZ3r5ZN45.exe, ParentProcessId: 6004, ProcessCommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , ProcessId: 6076 |
Source: C:\Windows\Help\Windows\wwlib.dll | Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2 |
Source: C:\Windows\Help\Windows\LibHelper.exe | ReversingLabs: Detection: 16% |
Source: C:\Windows\Help\Windows\wwlib.dll | ReversingLabs: Detection: 16% |
Source: 9nZ3r5ZN45.exe | Virustotal: Detection: 50% | Perma Link |
Source: 9nZ3r5ZN45.exe | ReversingLabs: Detection: 25% |
Source: 2.2.WINWORD.EXE.6d860000.3.unpack | Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 9nZ3r5ZN45.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Windows\Help\Windows\WINWORD.EXE | File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll | Jump to behavior |
Source: 9nZ3r5ZN45.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe |
Source: | Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr |
Source: | Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr |
Source: | Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, | 0_2_0083A383 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, | 0_2_0084B014 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0085A02E FindFirstFileExA, | 0_2_0085A02E |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01075746 FindFirstFileExW, | 1_2_01075746 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D868875 FindFirstFileExW, | 2_2_6D868875 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03039CCD FindFirstFileExW, | 2_2_03039CCD |
Source: WINWORD.EXE, 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp | String found in binary or memory: http://%s%08x.txtc: |
Source: WINWORD.EXE, 00000002.00000002.462222699.000000000164A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_008370B9: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, | 0_2_008370B9 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109 | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File deleted: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109 | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_008462E0 | 0_2_008462E0 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00838458 | 0_2_00838458 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0085C100 | 0_2_0085C100 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00850113 | 0_2_00850113 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083320E | 0_2_0083320E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084F3CA | 0_2_0084F3CA |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00843446 | 0_2_00843446 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0085C5AE | 0_2_0085C5AE |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083F5FB | 0_2_0083F5FB |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083E546 | 0_2_0083E546 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00850548 | 0_2_00850548 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_008606A4 | 0_2_008606A4 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_008436C1 | 0_2_008436C1 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00846715 | 0_2_00846715 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083277D | 0_2_0083277D |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084F8C6 | 0_2_0084F8C6 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083E9A9 | 0_2_0083E9A9 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_008439F2 | 0_2_008439F2 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00845911 | 0_2_00845911 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083DB11 | 0_2_0083DB11 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083BB6E | 0_2_0083BB6E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084FCDE | 0_2_0084FCDE |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00853D1A | 0_2_00853D1A |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00846D4E | 0_2_00846D4E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00835EAB | 0_2_00835EAB |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00833FBD | 0_2_00833FBD |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083DF48 | 0_2_0083DF48 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00853F49 | 0_2_00853F49 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_0107B4DD | 1_2_0107B4DD |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D86E601 | 2_2_6D86E601 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03058BD0 | 2_2_03058BD0 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303F81C | 2_2_0303F81C |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303C0D0 | 2_2_0303C0D0 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0306F631 | 2_2_0306F631 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303F6FC | 2_2_0303F6FC |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303C568 | 2_2_0303C568 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_030415A0 | 2_2_030415A0 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03031406 | 2_2_03031406 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_030354BB | 2_2_030354BB |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: String function: 0084E2F0 appears 31 times | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: String function: 0084D8C4 appears 38 times | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: String function: 0084D9C0 appears 51 times | |
Source: 9nZ3r5ZN45.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 9nZ3r5ZN45.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: WINWORD.EXE.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: LibHelper.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: LibHelper.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: LibHelper.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: LibHelper.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 9nZ3r5ZN45.exe, 00000000.00000003.198404389.0000000000666000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamewlib.dll2 vs 9nZ3r5ZN45.exe |
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs 9nZ3r5ZN45.exe |
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9nZ3r5ZN45.exe |
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203238414.00000000049F0000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs 9nZ3r5ZN45.exe |
Source: 9nZ3r5ZN45.exe, 00000000.00000002.202920472.00000000026C0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs 9nZ3r5ZN45.exe |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Section loaded: <pi-ms-win-core-synch-l1-2-0.dll | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Section loaded: <pi-ms-win-core-synch-l1-2-0.dll | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Section loaded: <pi-ms-win-core-localization-l1-2-1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Section loaded: dxgidebug.dll | Jump to behavior |
Source: 9nZ3r5ZN45.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Windows\Help\Windows\wwlib.dll, type: DROPPED | Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-03-09 |
Source: classification engine | Classification label: mal80.evad.winEXE@5/3@0/0 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00836E20 GetLastError,FormatMessageW, | 0_2_00836E20 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, | 2_2_0303107D |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_008496AD FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, | 0_2_008496AD |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303107D RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, | 2_2_0303107D |
Source: C:\Windows\Help\Windows\WINWORD.EXE | File created: C:\Users\user\AppData\Local\Temp\edgDDEA.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Command line argument: sfxname | 0_2_0084CC0E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Command line argument: sfxstime | 0_2_0084CC0E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Command line argument: STARTDLG | 0_2_0084CC0E |
Source: C:\Windows\Help\Windows\LibHelper.exe | Command line argument: PcHelper | 1_2_010710A0 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Command line argument: PCHELPER | 1_2_010710A0 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Command line argument: @Cw | 1_2_010710A0 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Command line argument: PCHELPER | 1_2_010710A0 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Command line argument: PcHelper | 1_2_010710A0 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Command line argument: PCHELPER | 1_2_010710A0 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Command line argument: wwlib.dll | 2_2_2FF1159F |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Command line argument: FMain | 2_2_2FF1159F |
Source: 9nZ3r5ZN45.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File read: C:\Windows\win.ini | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: 9nZ3r5ZN45.exe | Virustotal: Detection: 50% |
Source: 9nZ3r5ZN45.exe | ReversingLabs: Detection: 25% |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File read: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\9nZ3r5ZN45.exe 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe' | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE' | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE' | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE | File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll | Jump to behavior |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 9nZ3r5ZN45.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: 9nZ3r5ZN45.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe |
Source: | Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr |
Source: | Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr |
Source: | Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr |
Source: 9nZ3r5ZN45.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 9nZ3r5ZN45.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 9nZ3r5ZN45.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 9nZ3r5ZN45.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 9nZ3r5ZN45.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109 | Jump to behavior |
Source: wwlib.dll.0.dr | Static PE information: section name: .detourc |
Source: wwlib.dll.0.dr | Static PE information: section name: .detourd |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084E336 push ecx; ret | 0_2_0084E349 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084D8C4 push eax; ret | 0_2_0084D8E2 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01071F24 push ecx; ret | 1_2_01071F36 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_2FF1153C push ecx; ret | 2_2_2FF1154F |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D864F04 push ecx; ret | 2_2_6D864F16 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0305931B push ecx; ret | 2_2_03059319 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03032E74 push ecx; ret | 2_2_03032E86 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Executable created and started: C:\Windows\Help\Windows\LibHelper.exe | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Executable created and started: C:\Windows\Help\Windows\WINWORD.EXE | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\wwlib.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\LibHelper.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\WINWORD.EXE | Jump to dropped file |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\wwlib.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\LibHelper.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File created: C:\Windows\Help\Windows\WINWORD.EXE | Jump to dropped file |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\WINWORD.EXE | |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\WINWORD.EXE | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D861351 | 2_2_6D861351 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03062842 rdtsc | 2_2_03062842 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D861351 | 2_2_6D861351 |
Source: C:\Windows\Help\Windows\LibHelper.exe TID: 4660 | Thread sleep time: -260000s >= -30000s | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560 | Thread sleep count: 111 > 30 | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560 | Thread sleep time: -111000s >= -30000s | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Last function: Thread delayed |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Last function: Thread delayed |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, | 0_2_0083A383 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, | 0_2_0084B014 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0085A02E FindFirstFileExA, | 0_2_0085A02E |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01075746 FindFirstFileExW, | 1_2_01075746 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D868875 FindFirstFileExW, | 2_2_6D868875 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03039CCD FindFirstFileExW, | 2_2_03039CCD |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084D3A8 VirtualQuery,GetSystemInfo, | 0_2_0084D3A8 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03062842 rdtsc | 2_2_03062842 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0084E4F5 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_2FF116C4 GetLastError,OutputDebugStringA, | 2_2_2FF116C4 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00856B19 mov eax, dword ptr fs:[00000030h] | 0_2_00856B19 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01075478 mov eax, dword ptr fs:[00000030h] | 1_2_01075478 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01073CED mov eax, dword ptr fs:[00000030h] | 1_2_01073CED |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D868442 mov eax, dword ptr fs:[00000030h] | 2_2_6D868442 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D866F25 mov eax, dword ptr fs:[00000030h] | 2_2_6D866F25 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03051188 mov eax, dword ptr fs:[00000030h] | 2_2_03051188 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03069722 mov eax, dword ptr fs:[00000030h] | 2_2_03069722 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03035F74 mov eax, dword ptr fs:[00000030h] | 2_2_03035F74 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03067E15 mov eax, dword ptr fs:[00000030h] | 2_2_03067E15 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_030696DE mov eax, dword ptr fs:[00000030h] | 2_2_030696DE |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03052D21 mov eax, dword ptr fs:[00000030h] | 2_2_03052D21 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303946E mov eax, dword ptr fs:[00000030h] | 2_2_0303946E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0085ACFC GetProcessHeap, | 0_2_0085ACFC |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084E643 SetUnhandledExceptionFilter, | 0_2_0084E643 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0084E4F5 |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084E7FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0084E7FC |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_00857C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00857C57 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01071C8F SetUnhandledExceptionFilter, | 1_2_01071C8F |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_010719D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_010719D8 |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_010736EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_010736EF |
Source: C:\Windows\Help\Windows\LibHelper.exe | Code function: 1_2_01071AF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_01071AF9 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_2FF11B2C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, | 2_2_2FF11B2C |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D86497A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 2_2_6D86497A |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D8667F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_6D8667F2 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D864A9B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_6D864A9B |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03032289 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 2_2_03032289 |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_0303760D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_0303760D |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_03032CAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_03032CAF |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Injected file: C:\Windows\Help\Windows\wwlib.dll was created by C:\Users\user\Desktop\9nZ3r5ZN45.exe | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE' | Jump to behavior |
Source: C:\Windows\Help\Windows\WINWORD.EXE | Code function: 2_2_6D8611F0 GetCurrentThread,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingA,MapViewOfFile,CreateThread,GetLastError,FindCloseChangeNotification,UnmapViewOfFile, | 2_2_6D8611F0 |
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084E34B cpuid | 0_2_0084E34B |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: GetLocaleInfoW,GetNumberFormatW, | 0_2_00849E0C |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0084CC0E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle, | 0_2_0084CC0E |
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe | Code function: 0_2_0083AA39 GetVersionExW, | 0_2_0083AA39 |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.