Analysis Report TPZi2Evolution des moyens de trasport.exe

Overview

General Information

Sample Name: TPZi2Evolution des moyens de trasport.exe
Analysis ID: 385486
MD5: 3ffead9503aef3dd3c60fc58b0c41d01
SHA1: 94596dc41a99f7e6c3f5209e3d65d797082ec93b
SHA256: fc3adb1a06fb6e66dc53ad01726b85af4c296a3438a49df73b98b7d481f6d154
Infos:

Most interesting Screenshot:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Creates a DirectInput object (often for capturing keystrokes)
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files

Classification

Compliance:

barindex
Uses 32bit PE files
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: FlashPlayer.pdb source: TPZi2Evolution des moyens de trasport.exe
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://%shttp://a.SharedObject.BadPersistenceSharedObject.UriMismatchpending.heu.swz
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ad./adserver/e?type=playererrorhttp://ad.auditude.com/adserver/e?type=playererror//_.dashmpd&
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ad./adserver?tm=15&u=&u=&l=&z=&of=1.4&g=Auditude
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ad.auditude.com/adserver/e?type=playererror
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://cdn2.auditude.com/assets/3p/v
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://cdn2.auditude.com/assets/3p/vService
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://dashif.org/guidelines/trickmode1
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.607497816.0000000001C26000.00000002.00020000.sdmp String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_WUV
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_WUiF
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://fpdownload2.macromedia.com/get/https://fpdownload.macromedia.com/get/https://www.macromedia.c
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ocsp.thawte.com0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://s.symcd.com0_
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://s3.amazonaws.com/venkat-test/ads/camry/file-640k.m3u8
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://s3.amazonaws.com/venkat-test/ads/camry/file-640k.m3u82L
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://sw.symcd.com0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://www.macromedia.com
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://www.macromedia.com/go/player_settings_
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://www.macromedia.com/go/player_settings_.Unmuted.MutedCamera.UnmutedCamera.MutedMicrophone.Unmu
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: http://www.macromedia.comhttps://www.macromedia.com/support/flashplayer/sys/&amp
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://ats.macromedia.com/Players/ATS/ATS10AS3/Shipping/html/Security/ProtectedMode/PenTestDriverDL
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://auth.adobefpl.com/1/
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://d.symcb.com/rpa0)
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://fpdownload.macromedia.com/get/
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://primetimeenablement.sc.omtrdc.net/b/ss//6
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://primetimeenablement.sc.omtrdc.net/b/ss//6primesample2
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://www.macromedia.com/bin/flashdownload.cgi
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.612301693.0000000005815000.00000004.00000040.sdmp String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/.
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.612301693.0000000005815000.00000004.00000040.sdmp String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/rs
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.612301693.0000000005815000.00000004.00000040.sdmp String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/x

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.607497816.0000000001C26000.00000002.00020000.sdmp Binary or memory string: DirectInput8Create
Installs a global mouse hook
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll Jump to behavior

System Summary:

barindex
PE file contains strange resources
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.622283403.000000000AB80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewdmaud.drv.muij% vs TPZi2Evolution des moyens de trasport.exe
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000000.333150151.0000000002165000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSAFlashPlayer.exe@ vs TPZi2Evolution des moyens de trasport.exe
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.622292153.000000000AB90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsacm32.acm.muij% vs TPZi2Evolution des moyens de trasport.exe
Source: TPZi2Evolution des moyens de trasport.exe Binary or memory string: OriginalFilenameSAFlashPlayer.exe@ vs TPZi2Evolution des moyens de trasport.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Section loaded: comres.dll Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Section loaded: xpsp2res.dll Jump to behavior
Uses 32bit PE files
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal48.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: ms-help:
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: G@msencdata:hcp:ms-help:etc:vnd.ms.wmhtml:wmhtml:mhtml:Ms-its:mk:@MSITStore:local://rtmfp:rtmpte:rtmpe:rtmps:rtmpt:rtmp:https%3ahttp%3ablob:jar:feed:pcast:file:////\\#? ^ [A-Za-z0-9]+ :// [^/?#]+ https://http://:443:80https:http:"noneinternalallsameDomainneveralwaysrtmp://http://www.adobe.com/go/about_flash_playerlevelevent:FWS
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: unaru. <a href='http://adobe.com/go/addlocalstorage_rs' target='_blank'><u><font color='#0000FF'>Saznajte vi
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: imaldab kiiremini laadida ja teavet arvutisse salvestada. <a href='http://adobe.com/go/addlocalstorage_ee' target='_blank'><u><font color='#0000FF'>Lisateave</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: imaldab kiiremini laadida ja teavet arvutisse salvestada. <a href='http://adobe.com/go/addlocalstorage_ee' target='_blank'><u><font color='#0000FF'>Lisateave</font></u></a>Rakenduse otsetee loomineSalvesta heliKopeeri pilt nimega ...Kopeeri pildi asukohtKopeeri piltSalvesta link nimega ...Lisa link j
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: <br/><a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: iame kompiuteryje. <a href='http://adobe.com/go/addlocalstorage_lt' target='_blank'><u><font color='#0000FF'>Su
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: . <a href='http://adobe.com/go/addlocalstorage_lv' target='_blank'><u><font color='#0000FF'>Uzziniet vair
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: . <a href='http://adobe.com/go/addlocalstorage_ua' target='_blank'><u><font color='#0000FF'>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: unalu. <a href='http://adobe.com/go/addlocalstorage_hr' target='_blank'><u><font color='#0000FF'>Saznajte vi
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: iile pe acest computer. <a href='http://adobe.com/go/addlocalstorage_ro' target='_blank'><u><font color='#0000FF'>Mai multe informa
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: unalniku. <a href='http://adobe.com/go/addlocalstorage_si' target='_blank'><u><font color='#0000FF'>Ve
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: . <a href='http://adobe.com/go/addlocalstorage_bg' target='_blank'><u><font color='#0000FF'>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: i. <a href='http://adobe.com/go/addlocalstorage_sk' target='_blank'><u><font color='#0000FF'>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: . <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: Allow this game to use local storage? This will allow it to load faster and save information on this computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font colour='#0000FF'>Learn More</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: WARNING: For content targeting Flash Player version 14 or higher, ExternalInterface escapes strings using JSON conventions. To maintain compatibility, content published to earlier Flash Player versions continues to use the legacy escaping behaviour.by <a href='%1' target='_blank'><u><font colour='#0000FF'>%2</font></u></a>Allow this game to use local storage? This will allow it to load faster and save information on this computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font colour='#0000FF'>Learn More</font></u></a>Reload FilmFilm not loaded...Hae p
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: paikallista tallennustilaa? Tietojen tallentaminen paikallisesti nopeuttaa pelin latautumista. <a href='http://adobe.com/go/addlocalstorage_fi' target='_blank'><u><font color='#0000FF'>Lis
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: pen. <a href='http://adobe.com/go/addlocalstorage_hu' target='_blank'><u><font color='#0000FF'>Tov
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: datamaskinen. <a href='http://adobe.com/go/addlocalstorage_no' target='_blank'><u><font color='#0000FF'>Finn ut mer</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: datamaskinen. <a href='http://adobe.com/go/addlocalstorage_no' target='_blank'><u><font color='#0000FF'>Finn ut mer</font></u></a>Opprett programsnarveiLydopptakLagre bilde som...Kopier bildeplasseringKopier bildeLagre kobling som...Bokmerkekobling...Kopier koblingsplassering
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: o no computador. <a href='http://adobe.com/go/addlocalstorage_pt' target='_blank'><u><font color='#0000FF'>Saber mais</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: o no computador. <a href='http://adobe.com/go/addlocalstorage_pt' target='_blank'><u><font color='#0000FF'>Saber mais</font></u></a>Criar atalho de aplica
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: denne computer. <a href='http://adobe.com/go/addlocalstorage_da' target='_blank'><u><font color='#0000FF'>F
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: klenmesine ve bu bilgisayarda bilgi kaydetmesine izin verir. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Daha Fazla Bilgi</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: klenmesine ve bu bilgisayarda bilgi kaydetmesine izin verir. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Daha Fazla Bilgi</font></u></a>Uygulama K
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: r datorn. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>L
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: es neste computador. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Saiba mais</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: es neste computador. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Saiba mais</font></u></a>Criar atalho de aplicativoGravar
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: informacji na tym komputerze. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Wi
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: Lokale opslag toegankelijk maken voor dit spel? Hierdoor wordt het spel sneller geladen en worden de spelgegevens opgeslagen op deze computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Meer informatie</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: -inhoud uit dit domein niet naar behoren.<br><br><font color='#0000FF'><u><a href='http://www.adobe.com/go/learn_fp_safari_safe_mode_nl'>Meer informatie</a></u></font></textformat>Toevoegen aan Adobe PlaypanelVastmaken aan Startprobeert te communiceren met deze voor internet geschikte locatie:De volgende lokale toepassing op uw computer of netwerk:Adobe Flash Player heeft een potentieel onveilige bewerking gestopt.NeeEen script in deze film zorgt ervoor dat Adobe Flash Player langzaam wordt uitgevoerd. Als dit script actief blijft, reageert de computer mogelijk niet meer. Wilt u het script afbreken?Sneltoets voor deze toepassing maken op het bureaublad?Sneltoets toevoegen aan bureaubladToevoegen aan lokale opslag in Flash Playerdoor <a href='%1' target='_blank'><u><font color='#0000FF'>%2</font></u></a>Sneltoets makenAnnulerenVastzetten op taakbalkToevoegen aan menu StartToevoegen aan bureaubladSneltoetsen voor de toepassing maken in de volgende locaties:Ook sneltoetsen voor de toepassing maken in de volgende locaties:Lokale opslag toegankelijk maken voor dit spel? Hierdoor wordt het spel sneller geladen en worden de spelgegevens opgeslagen op deze computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Meer informatie</font></u></a>Sneltoets voor de toepassing makenAudio opnemenAfbeelding opslaan als...Afbeeldingslocatie kopi
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: informazioni su questo computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Altre informazioni</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: informazioni su questo computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Altre informazioni</font></u></a>Crea collegamento applicazioneRegistra audioSalva immagine con nome...Copia posizione immagineCopia immagineSalva collegamento con nome...Imposta collegamento come segnalibro...Copia posizione collegamentoApri in una nuova schedaApri in una nuova finestraApriSeleziona tuttoEliminaIncollaCopiaTagliaAnnullaInformazioni su Adobe Flash Player %s...Impostazioni globali...Impostazioni...Ricarica filmatoMostra aree ridisegnoStampa...Filmato non caricato...IndietroAvantiRiavvolgiCicloRiproduciBassaQualit
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: ? Le jeu pourra se charger plus rapidement et enregistrer des informations sur cet ordinateur. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>En savoir plus</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: ? Le jeu pourra se charger plus rapidement et enregistrer des informations sur cet ordinateur. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>En savoir plus</font></u></a>Cr
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: n en este ordenador. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>M
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: Darf dieses Spiel den lokalen Speicher verwenden? Dadurch wird es schneller geladen und kann Informationen auf diesem Computer speichern. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Weitere Informationen</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: pfungen auch hier erstellen:Darf dieses Spiel den lokalen Speicher verwenden? Dadurch wird es schneller geladen und kann Informationen auf diesem Computer speichern. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Weitere Informationen</font></u></a>Verkn
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: e. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Dal
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: Allow this game to use local storage? This will allow it to load faster and save information on this computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Learn More</font></u></a>
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: Check for Updates...Create Shortcut on Desktop<textformat leftmargin='2' rightmargin='2'>Do you trust this content to connect to the Internet?</textformat>WARNING: For content targeting Flash Player version 14 or higher, ExternalInterface escapes strings using JSON conventions. To maintain compatibility, content published to earlier Flash Player versions continues to use the legacy escaping behavior.<textformat leftmargin='2' rightmargin='2'>"Add to Adobe Playpanel" has failed. You must first launch and login to Adobe Playpanel to use this feature.</textformat>Find games with Adobe Playpanel<textformat leftmargin='2' rightmargin='2'>You must adjust Safari's security preferences to allow Flash content from this domain to work properly.<br><br><font color='#0000FF'><u><a href='http://www.adobe.com/go/learn_fp_safari_safe_mode'>Learn More</a></u></font></textformat>Add to Adobe PlaypanelPin to Startis trying to communicate with this Internet-enabled location:The following local application on your computer or network:Adobe Flash Player has stopped a potentially unsafe operation.NoYesA script in this movie is causing Adobe Flash Player to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script?Create a desktop shortcut for this application?Add shortcut to desktopAdd to Local Storage in Flash Playerby <a href='%1' target='_blank'><u><font color='#0000FF'>%2</font></u></a>Create ShortcutsOKCancelPin to TaskbarAdd to Start menuAdd to DesktopCreate application shortcuts in these places:Also create application shortcuts in these places:Allow this game to use local storage? This will allow it to load faster and save information on this computer. <a href='http://adobe.com/go/addlocalstorage' target='_blank'><u><font color='#0000FF'>Learn More</font></u></a>Create Application ShortcutRecord AudioSave Image As...Copy Image LocationCopy ImageSave link as...Bookmark link...Open in new tabAbout Adobe Flash Player %s...Global Settings...Settings...Reload MoviePrint...Movie not loaded...HighMediumLowFull ScreenSetWaitableTimerExpJ
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: <!--StartFragment-->
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: flashplayer/update/current/install/inline/
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: mflashplayer/update/current/install/inline/.datAFCache?nocache=https://auth.adobefpl.com/1/
Source: TPZi2Evolution des moyens de trasport.exe String found in binary or memory: [mem] sweep-start
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe File read: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32 Jump to behavior
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: TPZi2Evolution des moyens de trasport.exe Static file information: File size 17140460 > 1048576
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x952c00
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1d8400
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1c1200
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: FlashPlayer.pdb source: TPZi2Evolution des moyens de trasport.exe
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: real checksum: 0xe2f1fa should be:
PE file contains sections with non-standard names
Source: TPZi2Evolution des moyens de trasport.exe Static PE information: section name: .rodata

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon5339.png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.608569932.00000000021F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.608569932.00000000021F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.608569932.00000000021F0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: TPZi2Evolution des moyens de trasport.exe, 00000001.00000002.608569932.00000000021F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\TPZi2Evolution des moyens de trasport.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385486 Sample: TPZi2Evolution des moyens d... Startdate: 12/04/2021 Architecture: WINDOWS Score: 48 7 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->7 5 TPZi2Evolution des moyens de trasport.exe 1 11 2->5         started        process3
No contacted IP infos