Source: 2.0.Image001.exe.400000.0.unpack |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"} |
Source: 2.1.Image001.exe.400000.0.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.5.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.2.Image001.exe.400000.1.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.4.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.3.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.2.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.6.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.2.Image001.exe.4810000.5.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.8.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: 2.0.Image001.exe.400000.1.unpack |
Avira: Label: TR/Spy.Gen8 |
Source: |
Binary string: wntdll.pdbUGP source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
1_2_00405250 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00405C22 FindFirstFileA,FindClose, |
1_2_00405C22 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00402630 FindFirstFileA, |
1_2_00402630 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00404A29 FindFirstFileExW, |
2_2_00404A29 |
Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Image001.exe, 00000002.00000002.930497468.000000000260A000.00000004.00000001.sdmp |
String found in binary or memory: http://9zUeuRC8ZtAGmU0.com |
Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmp |
String found in binary or memory: http://YcxkAh.com |
Source: Image001.exe, 00000002.00000002.930534134.000000000262C000.00000004.00000001.sdmp |
String found in binary or memory: http://cgyasc.com |
Source: Image001.exe, 00000002.00000002.930534134.000000000262C000.00000004.00000001.sdmp |
String found in binary or memory: http://mail.cgyasc.com |
Source: Image001.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: Image001.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: Image001.exe, Image001.exe, 00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmp, Image001.exe, 00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmp, Image001.exe, 00000002.00000000.671627196.0000000000414000.00000040.00000001.sdmp, Image001.exe, 00000002.00000002.931937369.0000000004812000.00000040.00000001.sdmp, Image001.exe, 00000002.00000002.930749556.00000000032D1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_00404E07 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
1_2_004030E3 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00406043 |
1_2_00406043 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00404618 |
1_2_00404618 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0040681A |
1_2_0040681A |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001645B |
1_2_1001645B |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001F074 |
1_2_1001F074 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001694F |
1_2_1001694F |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_10016D67 |
1_2_10016D67 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001719C |
1_2_1001719C |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_100175D1 |
1_2_100175D1 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001F5E6 |
1_2_1001F5E6 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_100216A3 |
1_2_100216A3 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_10020300 |
1_2_10020300 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001C74E |
1_2_1001C74E |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001FB58 |
1_2_1001FB58 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0040A2A5 |
2_2_0040A2A5 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00811048 |
2_2_00811048 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0081A338 |
2_2_0081A338 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00811480 |
2_2_00811480 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00816A78 |
2_2_00816A78 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0081E368 |
2_2_0081E368 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_008134B8 |
2_2_008134B8 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0081A5A0 |
2_2_0081A5A0 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0088E012 |
2_2_0088E012 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00880068 |
2_2_00880068 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0088AD98 |
2_2_0088AD98 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00885D40 |
2_2_00885D40 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0088C650 |
2_2_0088C650 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00886E38 |
2_2_00886E38 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_048047A0 |
2_2_048047A0 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_04804733 |
2_2_04804733 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0480D661 |
2_2_0480D661 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0480F8F1 |
2_2_0480F8F1 |
Source: Image001.exe, 00000001.00000003.670760115.0000000002C5F000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Image001.exe |
Source: Image001.exe, 00000001.00000003.667724154.0000000002AC6000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Image001.exe |
Source: Image001.exe, 00000001.00000002.674414732.0000000002960000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe |
Source: Image001.exe |
Binary or memory string: OriginalFilename vs Image001.exe |
Source: Image001.exe, 00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmp |
Binary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe |
Source: Image001.exe, 00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmp |
Binary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe |
Source: Image001.exe, 00000002.00000000.671627196.0000000000414000.00000040.00000001.sdmp |
Binary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe |
Source: Image001.exe, 00000002.00000002.931937369.0000000004812000.00000040.00000001.sdmp |
Binary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe |
Source: Image001.exe, 00000002.00000002.929187642.0000000000199000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Image001.exe |
Source: Image001.exe, 00000002.00000002.930749556.00000000032D1000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe |
Source: Image001.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Image001.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Image001.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: unknown |
Process created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe" |
|
Source: C:\Users\user\Desktop\Image001.exe |
Process created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe" |
|
Source: C:\Users\user\Desktop\Image001.exe |
Process created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Image001.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
1_2_0040411B |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, |
2_2_00401489 |
Source: 2.2.Image001.exe.4810000.5.unpack, A/b2.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 2.2.Image001.exe.4810000.5.unpack, A/b2.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: |
Binary string: wntdll.pdbUGP source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Image001.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
1_2_00405250 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00405C22 FindFirstFileA,FindClose, |
1_2_00405C22 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_00402630 FindFirstFileA, |
1_2_00402630 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00404A29 FindFirstFileExW, |
2_2_00404A29 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001A14A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
1_2_1001A14A |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001A14A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
1_2_1001A14A |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_10007CE0 SetEnhMetaFileBits,SetWinMetaFileBits,GetDC,CreateDIBitmap,ReleaseDC,GetProcessHeap,HeapFree, |
1_2_10007CE0 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0019EA16 mov eax, dword ptr fs:[00000030h] |
1_2_0019EA16 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0019E802 mov eax, dword ptr fs:[00000030h] |
1_2_0019E802 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0019EAC7 mov eax, dword ptr fs:[00000030h] |
1_2_0019EAC7 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0019EB06 mov eax, dword ptr fs:[00000030h] |
1_2_0019EB06 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0019EB44 mov eax, dword ptr fs:[00000030h] |
1_2_0019EB44 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h] |
2_2_004035F1 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_1001BF46 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_1001BF46 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00401E1D SetUnhandledExceptionFilter, |
2_2_00401E1D |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0040446F |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00401C88 |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00401F30 |
Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Code function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, |
1_2_0040594D |
Source: Yara match |
File source: 2.2.Image001.exe.647018.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.47b0000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.47b0000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.9.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.32d5530.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.647018.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.415058.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.32d5530.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.1.Image001.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.1.Image001.exe.415058.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2960000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2960000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.415058.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2971458.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.4810000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2971458.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.1.Image001.exe.415058.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.929487870.000000000062E000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.674414732.0000000002960000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.671627196.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.670129518.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.931937369.0000000004812000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.930749556.00000000032D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000001.673527411.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.930497468.000000000260A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Image001.exe PID: 3524, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Image001.exe PID: 6004, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Image001.exe |
File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Image001.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
Jump to behavior |
Source: Yara match |
File source: 2.2.Image001.exe.647018.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.47b0000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.47b0000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.9.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.32d5530.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.647018.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.415058.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.32d5530.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.1.Image001.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.1.Image001.exe.415058.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2960000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2960000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.415058.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.415058.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2971458.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Image001.exe.4810000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.Image001.exe.2971458.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.1.Image001.exe.415058.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Image001.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.929487870.000000000062E000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.674414732.0000000002960000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.671627196.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.670129518.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.931937369.0000000004812000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.930749556.00000000032D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000001.673527411.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.930497468.000000000260A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Image001.exe PID: 3524, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Image001.exe PID: 6004, type: MEMORYSTR |