Windows Analysis Report 1Edyk9e6oL

Overview

General Information

Sample Name: 1Edyk9e6oL (renamed file extension from none to exe)
Analysis ID: 528554
MD5: 6a8ebc295dbde6256299d4236732cbdc
SHA1: 6975e7c55935f838401f9682480ea3b6749f7307
SHA256: 04595c3111276f02b6dc2ece0778cb5829c086484aeafa24e0aac3d8479deb4b
Tags: BABADEDA-CrypterexesignedUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 54
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
PE file has a writeable .text section
Writes or reads registry keys via WMI
Obfuscated command line found
Writes registry values via WMI
Potentially malicious time measurement code found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 19.2.restsharp.exe.35294a0.2.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 1Edyk9e6oL.exe Virustotal: Detection: 44% Perma Link
Source: 1Edyk9e6oL.exe Metadefender: Detection: 17% Perma Link
Source: 1Edyk9e6oL.exe ReversingLabs: Detection: 35%
Antivirus / Scanner detection for submitted sample
Source: 1Edyk9e6oL.exe Avira: detected
Antivirus or Machine Learning detection for unpacked file
Source: 19.2.restsharp.exe.100000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: 1Edyk9e6oL.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Source: 1Edyk9e6oL.exe Static PE information: certificate valid
Source: 1Edyk9e6oL.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdbAu source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp
Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0040AEF4 FindFirstFileW,FindClose, 1_2_0040AEF4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 1_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0060C2B0 FindFirstFileW,GetLastError, 6_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0040E6A0 FindFirstFileW,FindClose, 6_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 6_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose, 6_2_006B8DE4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_0040AEF4 FindFirstFileW,FindClose, 9_2_0040AEF4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 9_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0060C2B0 FindFirstFileW,GetLastError, 10_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0040E6A0 FindFirstFileW,FindClose, 10_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 10_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose, 10_2_006B8DE4

Networking:

barindex
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: get.updates.avast.cn replaycode: Name error (3)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://0xeb.wordpress.com/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://alioth.debian.org/forum/?group_id=31080
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmp String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmp String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blag.oxff.net/#2sapnfkthvpzjscp3xwq)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blag.oxff.net/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.poxiao.me/p/wow64-process-inject-dll-into-win64-process/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=1934#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=1943#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=30002#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=31582#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=31630#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=33151#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=33194#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=38440#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=38497#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=41470#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=41474#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=424#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44368#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44440#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44560#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47364#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47365#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47373#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47375#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47392#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47406#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47408#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47413#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47431#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47645#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47646#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47652#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47659#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47660#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47661#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47662#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47663#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47722#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47723#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47754#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47756#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47957#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47964#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47969#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47991#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47992#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47993#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48008#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48030#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48031#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48042#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48072#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48075#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48079#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48088#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=50#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51969#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51972#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51989#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51992#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=54#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=56#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=60242#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=60901#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62454#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62459#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62466#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62478#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64488#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64489#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64490#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64491#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64843#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64844#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64845#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64853#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65012#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65050#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65057#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65075#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65081#respond)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=163)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=319)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?p=80)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?page_id=1730)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?page_id=41)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?page_id=47)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?page_id=679)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://blog.rewolf.pl/blog/?page_id=859)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yes
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.dr String found in binary or memory: http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://code.google.com/p/corkami/source/browse/trunk/misc/MakePE/examples/asm/usermode_test.asm?spec
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://code.google.com/p/rewolf-wow64ext/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://corkami.com/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://creativecommons.org/ns#
Source: is-EAQ8J.tmp.10.dr String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://dirty-joe.com/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://gdtr.wordpress.com/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://github.com/rwfpl)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://github.com/rwfpl/rewolf-wow64ext)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://gynvael.coldwind.pl/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://j00ru.vexillium.org/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://lync.in/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://omeg.pl/blog)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/8ZQa2heh)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://rewolf.pl/stuff/x86tox64.zip)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://scripts.sil.org/OFL
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://sdlpango.sourceforge.net
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://security.szurek.pl/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://tamaroth.eu/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://terminus.rewolf.pl/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://translationproject.org/
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://translationproject.org/extra/matrix.html
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://tux4kids.alioth.debian.org
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://tux4kids.net/~jdandr2)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://waleedassar.blogspot.com/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://wordpress.org/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.ffri.jp/assets/files/research/research_papers/psj10-murakami_EN.pdf)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.galuzzi.it.
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.iisc.ernet.in
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.inkscape.org/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.libsdl.org
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.dr String found in binary or memory: http://www.libsdl.org/download-1.2.php
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.libsdl.org/projects/SDL_image
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.dr String found in binary or memory: http://www.libsdl.org/projects/SDL_image/
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.libsdl.org/projects/SDL_mixer
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.dr String found in binary or memory: http://www.libsdl.org/projects/SDL_mixer/
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.libsdl.org/projects/SDL_ttf
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.dr String found in binary or memory: http://www.libsdl.org/projects/SDL_ttf/
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.opensc.ws/c-c-help/19270-direct-code-injection-x32-x64-2.html#post176735)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: http://www.tux4kids.com.
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://blog.rewolf.pl/blog/?feed=rss2)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://dev.krzaq.cc/)
Source: restsharp.exe, 00000013.00000002.554163309.00000000030CB000.00000004.00000010.sdmp String found in binary or memory: https://get.u
Source: restsharp.exe, 00000013.00000002.553908667.0000000001524000.00000004.00000020.sdmp, restsharp.exe, 00000013.00000002.553930083.0000000001536000.00000004.00000020.sdmp String found in binary or memory: https://get.updates.avast.cn/
Source: restsharp.exe, 00000013.00000002.553890287.0000000001510000.00000004.00000020.sdmp String found in binary or memory: https://get.updates.avast.cn/sreamble/byn8hRGg_2/B67AeijKX4tuEr1sn/dvpKbG1_2FYf/rPVCgZrAe_2/FPqeoAPF
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://github.com/rwfpl)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://github.com/rwfpl/followers)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://github.com/rwfpl/rewolf-wow64ext)
Source: 1Edyk9e6oL.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 1Edyk9e6oL.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://labs.nettitude.com/dll-injection-part-two/)
Source: is-EAQ8J.tmp.10.dr String found in binary or memory: https://openclipart.org/detail/188214/eraser-by-crisg-188214U2
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://pwningmad.wordpress.com/)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/intent/follow?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&r
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/intent/user?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&ref
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://vul.anbai.com/43355.html)
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp String found in binary or memory: https://www.corelan.be/index.php/2011/11/05/wow64-egghunter/)
Source: 1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmp String found in binary or memory: https://www.innosetup.com/
Source: 1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: is-SV4NE.tmp.10.dr String found in binary or memory: https://www.tupitube.com
Source: unknown DNS traffic detected: queries for: get.updates.avast.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: restsharp.exe, 00000013.00000002.553577591.000000000149A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
PE file has a writeable .text section
Source: is-DL2UG.tmp.10.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Writes or reads registry keys via WMI
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 1Edyk9e6oL.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 6_2_0060F6D8
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 9_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 10_2_0060F6D8
Detected potential crypto function
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004323DC 1_2_004323DC
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004255DC 1_2_004255DC
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0040E9C4 1_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_006B786C 6_2_006B786C
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0040C938 6_2_0040C938
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_004323DC 9_2_004323DC
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_004255DC 9_2_004255DC
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_0040E9C4 9_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_006B786C 10_2_006B786C
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0040C938 10_2_0040C938
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E384A00 19_2_6E384A00
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E381600 19_2_6E381600
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E384EA0 19_2_6E384EA0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E38CADD 19_2_6E38CADD
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3826D0 19_2_6E3826D0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E385F70 19_2_6E385F70
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E387F69 19_2_6E387F69
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3877A0 19_2_6E3877A0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3853F0 19_2_6E3853F0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E387BD0 19_2_6E387BD0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E387017 19_2_6E387017
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E386C70 19_2_6E386C70
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E385050 19_2_6E385050
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E382440 19_2_6E382440
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3824AC 19_2_6E3824AC
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E381D20 19_2_6E381D20
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E384D70 19_2_6E384D70
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E38995F 19_2_6E38995F
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3825A0 19_2_6E3825A0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E385980 19_2_6E385980
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E38A185 19_2_6E38A185
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3865F0 19_2_6E3865F0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: String function: 0060CD28 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: String function: 005F5C7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: String function: 005F5F60 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: String function: 005DE888 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: String function: 006163B4 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: String function: 00616130 appears 39 times
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: String function: 00427848 appears 42 times
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: String function: 0040CC60 appears 34 times
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: String function: 0040873C appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: String function: 005F5C7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: String function: 005F5F60 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: String function: 005DE888 appears 40 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_00101C90 GetProcAddress,NtCreateSection,memset, 19_2_00101C90
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_00101703 NtMapViewOfSection, 19_2_00101703
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_001019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 19_2_001019A0
PE file contains executable resources (Code or Archives)
Source: 1Edyk9e6oL.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 1Edyk9e6oL.tmp.9.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: 1Edyk9e6oL.exe, 00000001.00000003.292668523.00000000023E8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekernel32j% vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000001.00000000.283304261.00000000004DC000.00000002.00020000.sdmp Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000001.00000003.284182308.000000000270C000.00000004.00000001.sdmp Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000001.00000003.284869590.000000007FE68000.00000004.00000001.sdmp Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000009.00000003.291384347.00000000026FC000.00000004.00000001.sdmp Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000009.00000003.426104453.00000000023D8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekernel32j% vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000009.00000000.290559398.00000000004DC000.00000002.00020000.sdmp Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe, 00000009.00000003.293025032.000000007FE68000.00000004.00000001.sdmp Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
Source: 1Edyk9e6oL.exe Binary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
PE file contains strange resources
Source: 1Edyk9e6oL.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1Edyk9e6oL.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1Edyk9e6oL.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1Edyk9e6oL.tmp.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1Edyk9e6oL.tmp.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-DL2UG.tmp.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Section loaded: libtfs2.0.dll Jump to behavior
PE file contains more sections than normal
Source: is-P09CL.tmp.10.dr Static PE information: Number of sections : 12 > 10
Source: is-E4UP5.tmp.10.dr Static PE information: Number of sections : 13 > 10
Source: is-9HHB4.tmp.10.dr Static PE information: Number of sections : 13 > 10
Source: is-BB30O.tmp.10.dr Static PE information: Number of sections : 13 > 10
Source: is-K16NE.tmp.10.dr Static PE information: Number of sections : 14 > 10
Source: 1Edyk9e6oL.exe Virustotal: Detection: 44%
Source: 1Edyk9e6oL.exe Metadefender: Detection: 17%
Source: 1Edyk9e6oL.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe File read: C:\Users\user\Desktop\1Edyk9e6oL.exe Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe"
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe"
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 6_2_0060F6D8
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 9_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 10_2_0060F6D8
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe File created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp Jump to behavior
Source: classification engine Classification label: mal54.troj.evad.winEXE@9/305@1/0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0062CFB8 GetVersion,CoCreateInstance, 6_2_0062CFB8
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0041A4DC GetDiskFreeSpaceW, 1_2_0041A4DC
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource, 1_2_004AF9F0
Source: 1Edyk9e6oL.exe String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: 1Edyk9e6oL.exe String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: 1Edyk9e6oL.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1Edyk9e6oL.exe Static file information: File size 5210880 > 1048576
Source: 1Edyk9e6oL.exe Static PE information: certificate valid
Source: 1Edyk9e6oL.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdbAu source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp
Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Unpacked PE file: 19.2.restsharp.exe.100000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Obfuscated command line found
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004B5000 push 004B50DEh; ret 1_2_004B50D6
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004B5980 push 004B5A48h; ret 1_2_004B5A40
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx 1_2_00458005
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx 1_2_0049B03D
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx 1_2_004A00F9
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx 1_2_00458089
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004B1084 push 004B10ECh; ret 1_2_004B10E4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx 1_2_004A1095
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx 1_2_0041A0B8
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004270BC push 00427104h; ret 1_2_004270FC
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx 1_2_0045810D
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx 1_2_004321C9
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx 1_2_004A21D9
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx 1_2_0049E1B9
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0049A260 push 0049A378h; ret 1_2_0049A370
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx 1_2_0045526C
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax 1_2_004252D9
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004592FC push ecx; mov dword ptr [esp], edx 1_2_004592FD
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx 1_2_0045B285
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00430358 push ecx; mov dword ptr [esp], eax 1_2_00430359
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00430370 push ecx; mov dword ptr [esp], eax 1_2_00430371
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx 1_2_00459398
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx 1_2_004A1429
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx 1_2_0049B425
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx 1_2_004A24D9
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004224F0 push 004225F4h; ret 1_2_004225EC
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax 1_2_004304F1
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00499490 push ecx; mov dword ptr [esp], edx 1_2_00499493
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00458564 push ecx; mov dword ptr [esp], edx 1_2_00458565
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00458574 push ecx; mov dword ptr [esp], edx 1_2_00458575
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx 1_2_00457578
PE file contains sections with non-standard names
Source: 1Edyk9e6oL.exe Static PE information: section name: .didata
Source: 1Edyk9e6oL.tmp.1.dr Static PE information: section name: .didata
Source: 1Edyk9e6oL.tmp.9.dr Static PE information: section name: .didata
Source: is-K16NE.tmp.10.dr Static PE information: section name: /4
Source: is-K16NE.tmp.10.dr Static PE information: section name: .xdata
Source: is-K16NE.tmp.10.dr Static PE information: section name: /14
Source: is-E4UP5.tmp.10.dr Static PE information: section name: /4
Source: is-E4UP5.tmp.10.dr Static PE information: section name: .xdata
Source: is-E4UP5.tmp.10.dr Static PE information: section name: /14
Source: is-9HHB4.tmp.10.dr Static PE information: section name: /4
Source: is-9HHB4.tmp.10.dr Static PE information: section name: .xdata
Source: is-9HHB4.tmp.10.dr Static PE information: section name: /14
Source: is-P09CL.tmp.10.dr Static PE information: section name: .xdata
Source: is-BB30O.tmp.10.dr Static PE information: section name: /4
Source: is-BB30O.tmp.10.dr Static PE information: section name: .xdata
Source: is-BB30O.tmp.10.dr Static PE information: section name: /14
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_00101264 LoadLibraryA,GetProcAddress, 19_2_00101264
PE file contains an invalid checksum
Source: 1Edyk9e6oL.tmp.1.dr Static PE information: real checksum: 0x0 should be: 0x331370
Source: 1Edyk9e6oL.tmp.9.dr Static PE information: real checksum: 0x0 should be: 0x331370
Source: is-T5J2K.tmp.10.dr Static PE information: real checksum: 0x234a01 should be: 0x24a5f6
Source: is-DL2UG.tmp.10.dr Static PE information: real checksum: 0x690dcc should be: 0x69934a
Binary contains a suspicious time stamp
Source: is-K16NE.tmp.10.dr Static PE information: 0xA5E8A5E0 [Sat Mar 16 06:57:36 2058 UTC]
Source: initial sample Static PE information: section name: .text entropy: 6.89492529939

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmp Jump to dropped file
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe File created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\tsharkdecode.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-DL2UG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe File created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaad2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmp Jump to dropped file

Boot Survival:

barindex
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9Utility Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9Utility\SharpDX Direct3D9Utility.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow, 6_2_005C90B4
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow, 6_2_006A68B0
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow, 10_2_005C90B4
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow, 10_2_006A68B0
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe TID: 6428 Thread sleep time: -39000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe TID: 4596 Thread sleep time: -90000s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\tsharkdecode.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmp Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E381207 rdtsc 19_2_6E381207
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 1_2_004AF91C
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0040AEF4 FindFirstFileW,FindClose, 1_2_0040AEF4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 1_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0060C2B0 FindFirstFileW,GetLastError, 6_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0040E6A0 FindFirstFileW,FindClose, 6_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 6_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose, 6_2_006B8DE4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_0040AEF4 FindFirstFileW,FindClose, 9_2_0040AEF4
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 9_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 9_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0060C2B0 FindFirstFileW,GetLastError, 10_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0040E6A0 FindFirstFileW,FindClose, 10_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 10_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: 10_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose, 10_2_006B8DE4
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Thread delayed: delay time: 39000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Thread delayed: delay time: 90000 Jump to behavior
Source: restsharp.exe, 00000013.00000002.553869733.0000000001502000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Anti Debugging:

barindex
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E3813D0 19_2_6E3813D0
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E381440 19_2_6E381440
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E41C4CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_6E41C4CB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_00101264 LoadLibraryA,GetProcAddress, 19_2_00101264
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E381207 rdtsc 19_2_6E381207
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E41FF01 mov eax, dword ptr fs:[00000030h] 19_2_6E41FF01
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E42E7EF mov eax, dword ptr fs:[00000030h] 19_2_6E42E7EF
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E42E877 mov eax, dword ptr fs:[00000030h] 19_2_6E42E877
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_0053FBEC mov eax, dword ptr fs:[00000030h] 19_2_0053FBEC
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E41BAA2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_6E41BAA2
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E41C4CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_6E41C4CB
Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe Code function: 19_2_6E423D7F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_6E423D7F

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 6_2_006A60E8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Process created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Process created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 6_2_005C8B3C
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 6_2_005C7CE0
Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmp Binary or memory string: Progman
Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 1_2_0040B044
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetLocaleInfoW, 1_2_0041E034
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetLocaleInfoW, 1_2_0041E080
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetLocaleInfoW, 1_2_004AF218
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 6_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: GetLocaleInfoW, 6_2_006103F8
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_0040DC78
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 9_2_0040B044
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetLocaleInfoW, 9_2_0041E034
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetLocaleInfoW, 9_2_0041E080
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: GetLocaleInfoW, 9_2_004AF218
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 10_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: GetLocaleInfoW, 10_2_006103F8
Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_0040DC78
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_00405AE0 cpuid 1_2_00405AE0
Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp Code function: 6_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle, 6_2_00625754
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_0041C3D8 GetLocalTime, 1_2_0041C3D8
Source: C:\Users\user\Desktop\1Edyk9e6oL.exe Code function: 1_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy, 1_2_004B5114

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528554 Sample: 1Edyk9e6oL Startdate: 25/11/2021 Architecture: WINDOWS Score: 54 44 Found malware configuration 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 9 1Edyk9e6oL.exe 2 2->9         started        process3 file4 36 C:\Users\user\AppData\...\1Edyk9e6oL.tmp, PE32 9->36 dropped 52 Obfuscated command line found 9->52 13 1Edyk9e6oL.tmp 3 13 9->13         started        signatures5 process6 file7 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->38 dropped 16 1Edyk9e6oL.exe 2 13->16         started        process8 file9 26 C:\Users\user\AppData\...\1Edyk9e6oL.tmp, PE32 16->26 dropped 42 Obfuscated command line found 16->42 20 1Edyk9e6oL.tmp 5 191 16->20         started        signatures10 process11 file12 28 C:\Users\user\...\restsharp.exe (copy), PE32 20->28 dropped 30 C:\Users\user\...\tsharkdecode.dll (copy), PE32+ 20->30 dropped 32 C:\Users\user\...\libtasn1-6.dll (copy), PE32+ 20->32 dropped 34 38 other files (none is malicious) 20->34 dropped 23 restsharp.exe 6 20->23         started        process13 dnsIp14 40 get.updates.avast.cn 23->40
No contacted IP infos

Contacted Domains

Name IP Active
get.updates.avast.cn unknown unknown