Source: E7CThb0bFa.exe | Virustotal: Detection: 84% | Perma Link |
Source: E7CThb0bFa.exe | ReversingLabs: Detection: 92% |
Source: 1.2.E7CThb0bFa.exe.400000.0.unpack | Avira: Label: TR/Kazy.MK |
Source: 0.2.E7CThb0bFa.exe.24e0000.2.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 1.1.E7CThb0bFa.exe.400000.0.unpack | Avira: Label: TR/Kazy.MK |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00408558 CryptUnprotectData,LocalFree, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00408558 CryptUnprotectData,LocalFree, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00412FA3 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
Source: E7CThb0bFa.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_004113A5 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00414C41 select,recv, |
Source: E7CThb0bFa.exe | String found in binary or memory: http://www.google.com/webhp |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp, E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp | String found in binary or memory: http://www.google.com/webhpbc |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041047C GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0042D190 GetKeyboardState, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00419084 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_004108EC OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0044A56C NtdllDefWindowProc_A, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00430020 NtdllDefWindowProc_A,GetCapture, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00424C58 NtdllDefWindowProc_A, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0043F83C GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00413620 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00418801 InitiateSystemShutdownExW,ExitWindowsEx, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00418801 InitiateSystemShutdownExW,ExitWindowsEx, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_0041D21C CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00444A1C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0043F83C |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00414A51 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0040D6D4 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00412EAF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0040171B |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00414A51 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_0040D6D4 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00412EAF |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_0040171B |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: String function: 004041E0 appears 68 times |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: String function: 00406324 appears 61 times |
Source: E7CThb0bFa.exe, 00000000.00000002.637101486.0000000000A90000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs E7CThb0bFa.exe |
Source: E7CThb0bFa.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal80.bank.troj.evad.winEXE@3/0@0/0 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0041DA04 GetLastError,FormatMessageA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00405554 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_004053DF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_004133CA GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_004085C0 GetDiskFreeSpaceA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0040647F CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00408C77 CoCreateInstance, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00406179 CompareStringA,RtlEnterCriticalSection,FindResourceA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: E7CThb0bFa.exe | Virustotal: Detection: 84% |
Source: E7CThb0bFa.exe | ReversingLabs: Detection: 92% |
Source: unknown | Process created: C:\Users\user\Desktop\E7CThb0bFa.exe 'C:\Users\user\Desktop\E7CThb0bFa.exe' |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232BE08 push FAF50000h; retn 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232CB68 push ds; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232D354 push ds; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02327FA0 pushad ; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232741D pushfd ; retn 0003h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02329865 push edx; iretd |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232ACA4 pushad ; retf |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02328C9C push ss; retf 004Ch |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02329100 push eax; ret |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232E57F push ss; iretd |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232C550 pushfd ; retf |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232D9B3 push edx; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232BDF4 push ds; ret |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_023289E0 push ebx; ret |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02329DEB push ebx; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232BE08 push FAF50000h; retn 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232CB68 push ds; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232D354 push ds; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02327FA0 pushad ; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232741D pushfd ; retn 0003h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02329865 push edx; iretd |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232ACA4 pushad ; retf |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02328C9C push ss; retf 004Ch |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02329100 push eax; ret |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232E57F push ss; iretd |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232C550 pushfd ; retf |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232D9B3 push edx; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_0232BDF4 push ds; ret |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_023289E0 push ebx; ret |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_3_02329DEB push ebx; retf 0000h |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00437334 push 004373C1h; ret |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0044A5F4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_004225DC IsIconic,GetWindowPlacement,GetWindowRect, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00432878 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0044AD10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0044ADC0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_004475DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00431744 IsIconic,GetCapture, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00431FF8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00426D88 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00426D88 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00405304 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_00417437 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_0041737C FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_0041DFA0 GetSystemInfo, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00424218 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041C2AE mov edx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_1_0041C2AE mov edx, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041C5F3 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId, |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Memory written: C:\Users\user\Desktop\E7CThb0bFa.exe base: 400000 value starts with: 4D5A |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Process created: C:\Users\user\Desktop\E7CThb0bFa.exe C:\Users\user\Desktop\E7CThb0bFa.exe |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_004152ED InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: GetLocaleInfoA,GetACP, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00409924 GetLocalTime, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00407242 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00411E28 GetTimeZoneInformation, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 0_2_00437334 GetVersion, |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp | Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroybcdfghklmnpqrstvwxzaeiouyGlobal\Local\ |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp | String found in binary or memory: RFB 003.003 |
Source: E7CThb0bFa.exe, 00000000.00000002.637292990.00000000024E0000.00000004.00000001.sdmp | String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003 |
Source: E7CThb0bFa.exe | String found in binary or memory: RFB 003.003 |
Source: E7CThb0bFa.exe | String found in binary or memory: RFB 003.003 |
Source: E7CThb0bFa.exe, 00000001.00000001.636690147.0000000000400000.00000040.00020000.sdmp | String found in binary or memory: .exe-fSysListView32MDIClientCiceroUIWndFrameConsoleWindowClass#32768SysShadowFIXMERFB 003.003 |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_0041511E socket,bind,closesocket, |
Source: C:\Users\user\Desktop\E7CThb0bFa.exe | Code function: 1_2_00414E40 socket,bind,listen,closesocket, |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.