Source: E7CThb0bFa.exe |
Virustotal: Detection: 84% |
Perma Link |
Source: E7CThb0bFa.exe |
ReversingLabs: Detection: 92% |
Source: 1.2.E7CThb0bFa.exe.400000.0.unpack |
Avira: Label: TR/Kazy.MK |
Source: 0.2.E7CThb0bFa.exe.24e0000.2.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 1.1.E7CThb0bFa.exe.400000.0.unpack |
Avira: Label: TR/Kazy.MK |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00408558 CryptUnprotectData,LocalFree, |
1_2_00408558 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
1_2_00412FA3 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00408558 CryptUnprotectData,LocalFree, |
1_1_00408558 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
1_1_00412FA3 |
Source: E7CThb0bFa.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, |
1_2_004113A5 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, |
1_1_004113A5 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
0_2_00405304 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
1_2_00417437 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
1_2_0041737C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
1_1_00417437 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
1_1_0041737C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00414C41 select,recv, |
1_2_00414C41 |
Source: E7CThb0bFa.exe |
String found in binary or memory: http://www.google.com/webhp |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp, E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp |
String found in binary or memory: http://www.google.com/webhpbc |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041047C GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, |
1_2_0041047C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0042D190 GetKeyboardState, |
0_2_0042D190 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, |
1_2_00419084 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, |
1_1_00419084 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_004108EC OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation, |
1_2_004108EC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0044A56C NtdllDefWindowProc_A, |
0_2_0044A56C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00430020 NtdllDefWindowProc_A,GetCapture, |
0_2_00430020 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00424C58 NtdllDefWindowProc_A, |
0_2_00424C58 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
0_2_0044AD10 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
0_2_0044ADC0 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0043F83C GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
0_2_0043F83C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00413620 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, |
1_2_00413620 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00418801 InitiateSystemShutdownExW,ExitWindowsEx, |
1_2_00418801 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
1_2_0041D21C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00418801 InitiateSystemShutdownExW,ExitWindowsEx, |
1_1_00418801 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
1_1_0041D21C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00444A1C |
0_2_00444A1C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0043F83C |
0_2_0043F83C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00414A51 |
1_2_00414A51 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0040D6D4 |
1_2_0040D6D4 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00412EAF |
1_2_00412EAF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0040171B |
1_2_0040171B |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00414A51 |
1_1_00414A51 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_0040D6D4 |
1_1_0040D6D4 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00412EAF |
1_1_00412EAF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_0040171B |
1_1_0040171B |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: String function: 004041E0 appears 68 times |
|
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: String function: 00406324 appears 61 times |
|
Source: E7CThb0bFa.exe, 00000000.00000002.637101486.0000000000A90000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs E7CThb0bFa.exe |
Source: E7CThb0bFa.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.bank.troj.evad.winEXE@3/0@0/0 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0041DA04 GetLastError,FormatMessageA, |
0_2_0041DA04 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, |
1_2_00405554 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, |
1_2_004053DF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, |
1_1_00405554 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, |
1_1_004053DF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, |
1_2_004133CA |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, |
1_1_004133CA |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_004085C0 GetDiskFreeSpaceA, |
0_2_004085C0 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0040647F CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle, |
1_2_0040647F |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00408C77 CoCreateInstance, |
1_2_00408C77 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00406179 CompareStringA,RtlEnterCriticalSection,FindResourceA, |
0_2_00406179 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: E7CThb0bFa.exe |
Virustotal: Detection: 84% |
Source: E7CThb0bFa.exe |
ReversingLabs: Detection: 92% |
Source: unknown |
Process created: C:\Users\user\Desktop\E7CThb0bFa.exe 'C:\Users\user\Desktop\E7CThb0bFa.exe' |
|
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe |
|
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00424218 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232BE08 push FAF50000h; retn 0000h |
0_3_0232BE0D |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232CB68 push ds; retf 0000h |
0_3_0232D370 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232D354 push ds; retf 0000h |
0_3_0232D370 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02327FA0 pushad ; retf 0000h |
0_3_02327FBF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232741D pushfd ; retn 0003h |
0_3_02327429 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02329865 push edx; iretd |
0_3_0232988C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232ACA4 pushad ; retf |
0_3_0232ADC2 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02328C9C push ss; retf 004Ch |
0_3_02336AFF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02329100 push eax; ret |
0_3_02329152 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232E57F push ss; iretd |
0_3_0232E59F |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232C550 pushfd ; retf |
0_3_0232C551 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232D9B3 push edx; retf 0000h |
0_3_0232D9EC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232BDF4 push ds; ret |
0_3_0232BE07 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_023289E0 push ebx; ret |
0_3_02328A0A |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02329DEB push ebx; retf 0000h |
0_3_02329DEC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232BE08 push FAF50000h; retn 0000h |
0_3_0232BE0D |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232CB68 push ds; retf 0000h |
0_3_0232D370 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232D354 push ds; retf 0000h |
0_3_0232D370 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02327FA0 pushad ; retf 0000h |
0_3_02327FBF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232741D pushfd ; retn 0003h |
0_3_02327429 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02329865 push edx; iretd |
0_3_0232988C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232ACA4 pushad ; retf |
0_3_0232ADC2 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02328C9C push ss; retf 004Ch |
0_3_02336AFF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02329100 push eax; ret |
0_3_02329152 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232E57F push ss; iretd |
0_3_0232E59F |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232C550 pushfd ; retf |
0_3_0232C551 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232D9B3 push edx; retf 0000h |
0_3_0232D9EC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_0232BDF4 push ds; ret |
0_3_0232BE07 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_023289E0 push ebx; ret |
0_3_02328A0A |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_3_02329DEB push ebx; retf 0000h |
0_3_02329DEC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00437334 push 004373C1h; ret |
0_2_004373B9 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0044A5F4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
0_2_0044A5F4 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_004225DC IsIconic,GetWindowPlacement,GetWindowRect, |
0_2_004225DC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00432878 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
0_2_00432878 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
0_2_0044AD10 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
0_2_0044ADC0 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_004475DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
0_2_004475DC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00431744 IsIconic,GetCapture, |
0_2_00431744 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00431FF8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
0_2_00431FF8 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00424218 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00426D88 |
0_2_00426D88 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, |
0_2_00449B50 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00426D88 |
0_2_00426D88 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
0_2_00405304 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
1_2_00417437 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
1_2_0041737C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
1_1_00417437 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
1_1_0041737C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_0041DFA0 GetSystemInfo, |
0_2_0041DFA0 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00424218 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041C2AE mov edx, dword ptr fs:[00000030h] |
1_2_0041C2AE |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_1_0041C2AE mov edx, dword ptr fs:[00000030h] |
1_1_0041C2AE |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041C5F3 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, |
1_2_0041C5F3 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Memory written: C:\Users\user\Desktop\E7CThb0bFa.exe base: 400000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_004152ED InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, |
1_2_004152ED |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
0_2_004054DC |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: GetLocaleInfoA,GetACP, |
0_2_0040C424 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: GetLocaleInfoA, |
0_2_0040AE50 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: GetLocaleInfoA, |
0_2_0040AE9C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: GetLocaleInfoA, |
0_2_00405E24 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00409924 GetLocalTime, |
0_2_00409924 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00407242 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, |
1_2_00407242 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00411E28 GetTimeZoneInformation, |
1_2_00411E28 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 0_2_00437334 GetVersion, |
0_2_00437334 |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp |
Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\ |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp |
String found in binary or memory: RFB 003.003 |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp |
String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003 |
Source: E7CThb0bFa.exe |
String found in binary or memory: RFB 003.003 |
Source: E7CThb0bFa.exe |
String found in binary or memory: RFB 003.003 |
Source: E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp |
String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_0041511E socket,bind,closesocket, |
1_2_0041511E |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe |
Code function: 1_2_00414E40 socket,bind,listen,closesocket, |
1_2_00414E40 |