| 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0x8ee04:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0x8ee60:$e2: Add-MpPreference -ExclusionPath
|
| 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0x903e3:$s1: c:\windows\system32\cmstp.exe
- 0x9017f:$s2: taskkill /IM cmstp.exe /F
- 0x9003b:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0x90271:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x8ebd2:$r1: Classes\Folder\shell\open\command
- 0x8ec16:$k1: DelegateExecute
- 0x8ead2:$s1: /EXEFilename "{0}
- 0x8eaf8:$s2: /WindowState ""
- 0x904e6:$s2: /WindowState ""
- 0x8eb22:$s3: /PriorityClass ""32"" /CommandLine "
- 0x9050c:$s3: /PriorityClass ""32"" /CommandLine "
- 0x8eb6e:$s4: /StartDirectory "
- 0x90558:$s4: /StartDirectory "
- 0x8eb94:$s5: /RunAs
- 0x9057e:$s5: /RunAs
|
| 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0x8f0ea:$s1: This file can't run into Virtual Machines
- 0x8efe6:$s4: Run without emulation
- 0x8f1c0:$s5: Run using valid operating system
- 0x8eeb6:$v1: SbieDll.dll
- 0x8ec51:$v2: USER
- 0x8f202:$v2: USER
- 0x8f20c:$v3: SANDBOX
- 0x8f21c:$v4: VIRUS
- 0x8f264:$v4: VIRUS
- 0x8f228:$v5: MALWARE
- 0x8f238:$v6: SCHMIDTI
- 0x8f24a:$v7: CURRENTUSER
|
| 2.2.LaunchWinApp.exe.400000.0.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.2.LaunchWinApp.exe.400000.0.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.6.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.6.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.0.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.0.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.7.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.7.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0x8ee04:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0x8ee60:$e2: Add-MpPreference -ExclusionPath
|
| 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0x903e3:$s1: c:\windows\system32\cmstp.exe
- 0x9017f:$s2: taskkill /IM cmstp.exe /F
- 0x9003b:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0x90271:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x8ebd2:$r1: Classes\Folder\shell\open\command
- 0x8ec16:$k1: DelegateExecute
- 0x8ead2:$s1: /EXEFilename "{0}
- 0x8eaf8:$s2: /WindowState ""
- 0x904e6:$s2: /WindowState ""
- 0x8eb22:$s3: /PriorityClass ""32"" /CommandLine "
- 0x9050c:$s3: /PriorityClass ""32"" /CommandLine "
- 0x8eb6e:$s4: /StartDirectory "
- 0x90558:$s4: /StartDirectory "
- 0x8eb94:$s5: /RunAs
- 0x9057e:$s5: /RunAs
|
| 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0x8f0ea:$s1: This file can't run into Virtual Machines
- 0x8efe6:$s4: Run without emulation
- 0x8f1c0:$s5: Run using valid operating system
- 0x8eeb6:$v1: SbieDll.dll
- 0x8ec51:$v2: USER
- 0x8f202:$v2: USER
- 0x8f20c:$v3: SANDBOX
- 0x8f21c:$v4: VIRUS
- 0x8f264:$v4: VIRUS
- 0x8f228:$v5: MALWARE
- 0x8f238:$v6: SCHMIDTI
- 0x8f24a:$v7: CURRENTUSER
|
| 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0xdadc4:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0xdae20:$e2: Add-MpPreference -ExclusionPath
|
| 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xdc3a3:$s1: c:\windows\system32\cmstp.exe
- 0xdc13f:$s2: taskkill /IM cmstp.exe /F
- 0xdbffb:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xdc231:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0xdab92:$r1: Classes\Folder\shell\open\command
- 0xdabd6:$k1: DelegateExecute
- 0xdaa92:$s1: /EXEFilename "{0}
- 0xdaab8:$s2: /WindowState ""
- 0xdc4a6:$s2: /WindowState ""
- 0xdaae2:$s3: /PriorityClass ""32"" /CommandLine "
- 0xdc4cc:$s3: /PriorityClass ""32"" /CommandLine "
- 0xdab2e:$s4: /StartDirectory "
- 0xdc518:$s4: /StartDirectory "
- 0xdab54:$s5: /RunAs
- 0xdc53e:$s5: /RunAs
|
| 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0xdb0aa:$s1: This file can't run into Virtual Machines
- 0xdafa6:$s4: Run without emulation
- 0xdb180:$s5: Run using valid operating system
- 0xdae76:$v1: SbieDll.dll
- 0xdac11:$v2: USER
- 0xdb1c2:$v2: USER
- 0xdb1cc:$v3: SANDBOX
- 0xdb1dc:$v4: VIRUS
- 0xdb224:$v4: VIRUS
- 0xdb1e8:$v5: MALWARE
- 0xdb1f8:$v6: SCHMIDTI
- 0xdb20a:$v7: CURRENTUSER
|
| 2.0.LaunchWinApp.exe.400000.8.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.8.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.3.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.3.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.2.LaunchWinApp.exe.400000.0.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.2.LaunchWinApp.exe.400000.0.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.3.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.3.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.5.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.5.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.4.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.4.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.8.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.8.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.2.raw.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.2.raw.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7e47c:$s1: inetcomm server passwords
- 0x86f44:$s4: CredEnumerateW
- 0x7e048:$s5: %[^:]://%[^/]%[^
- 0x7e064:$s6: %99[^:]://%99[^/]%99[^
- 0x7b050:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7d728:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7d0e8:$x2: \json.hpp
- 0x7da34:$x3: Microsoft_WinInet_
- 0x7db44:$x3: Microsoft_WinInet_
- 0x7db44:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.6.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.6.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0x8ee04:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0x8ee60:$e2: Add-MpPreference -ExclusionPath
|
| 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0x903e3:$s1: c:\windows\system32\cmstp.exe
- 0x9017f:$s2: taskkill /IM cmstp.exe /F
- 0x9003b:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0x90271:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0x8ebd2:$r1: Classes\Folder\shell\open\command
- 0x8ec16:$k1: DelegateExecute
- 0x8ead2:$s1: /EXEFilename "{0}
- 0x8eaf8:$s2: /WindowState ""
- 0x904e6:$s2: /WindowState ""
- 0x8eb22:$s3: /PriorityClass ""32"" /CommandLine "
- 0x9050c:$s3: /PriorityClass ""32"" /CommandLine "
- 0x8eb6e:$s4: /StartDirectory "
- 0x90558:$s4: /StartDirectory "
- 0x8eb94:$s5: /RunAs
- 0x9057e:$s5: /RunAs
|
| 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0x8f0ea:$s1: This file can't run into Virtual Machines
- 0x8efe6:$s4: Run without emulation
- 0x8f1c0:$s5: Run using valid operating system
- 0x8eeb6:$v1: SbieDll.dll
- 0x8ec51:$v2: USER
- 0x8f202:$v2: USER
- 0x8f20c:$v3: SANDBOX
- 0x8f21c:$v4: VIRUS
- 0x8f264:$v4: VIRUS
- 0x8f228:$v5: MALWARE
- 0x8f238:$v6: SCHMIDTI
- 0x8f24a:$v7: CURRENTUSER
|
| 0.3.qpwx2wT5ky.exe.4615610.3.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.3.qpwx2wT5ky.exe.4615610.3.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.3.qpwx2wT5ky.exe.4615610.3.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0xd8fc4:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0xd9020:$e2: Add-MpPreference -ExclusionPath
|
| 0.3.qpwx2wT5ky.exe.4615610.3.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xda5a3:$s1: c:\windows\system32\cmstp.exe
- 0xda33f:$s2: taskkill /IM cmstp.exe /F
- 0xda1fb:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xda431:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.3.qpwx2wT5ky.exe.4615610.3.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0xd8d92:$r1: Classes\Folder\shell\open\command
- 0xd8dd6:$k1: DelegateExecute
- 0xd8c92:$s1: /EXEFilename "{0}
- 0xd8cb8:$s2: /WindowState ""
- 0xda6a6:$s2: /WindowState ""
- 0xd8ce2:$s3: /PriorityClass ""32"" /CommandLine "
- 0xda6cc:$s3: /PriorityClass ""32"" /CommandLine "
- 0xd8d2e:$s4: /StartDirectory "
- 0xda718:$s4: /StartDirectory "
- 0xd8d54:$s5: /RunAs
- 0xda73e:$s5: /RunAs
|
| 0.3.qpwx2wT5ky.exe.4615610.3.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0xd92aa:$s1: This file can't run into Virtual Machines
- 0xd91a6:$s4: Run without emulation
- 0xd9380:$s5: Run using valid operating system
- 0xd9076:$v1: SbieDll.dll
- 0xd8e11:$v2: USER
- 0xd93c2:$v2: USER
- 0xd93cc:$v3: SANDBOX
- 0xd93dc:$v4: VIRUS
- 0xd9424:$v4: VIRUS
- 0xd93e8:$v5: MALWARE
- 0xd93f8:$v6: SCHMIDTI
- 0xd940a:$v7: CURRENTUSER
|
| 2.0.LaunchWinApp.exe.400000.4.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.4.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 0.2.qpwx2wT5ky.exe.468cf00.3.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 0.2.qpwx2wT5ky.exe.468cf00.3.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7b07c:$s1: inetcomm server passwords
- 0x83b44:$s4: CredEnumerateW
- 0x7ac48:$s5: %[^:]://%[^/]%[^
- 0x7ac64:$s6: %99[^:]://%99[^/]%99[^
- 0x77c50:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7a328:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x79ce8:$x2: \json.hpp
- 0x7a634:$x3: Microsoft_WinInet_
- 0x7a744:$x3: Microsoft_WinInet_
- 0x7a744:$x4: Microsoft_WinInet_*
|
| 0.2.qpwx2wT5ky.exe.3170000.2.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.2.qpwx2wT5ky.exe.3170000.2.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.2.qpwx2wT5ky.exe.3170000.2.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0xd8fc4:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0xd9020:$e2: Add-MpPreference -ExclusionPath
|
| 0.2.qpwx2wT5ky.exe.3170000.2.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xda5a3:$s1: c:\windows\system32\cmstp.exe
- 0xda33f:$s2: taskkill /IM cmstp.exe /F
- 0xda1fb:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xda431:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.2.qpwx2wT5ky.exe.3170000.2.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0xd8d92:$r1: Classes\Folder\shell\open\command
- 0xd8dd6:$k1: DelegateExecute
- 0xd8c92:$s1: /EXEFilename "{0}
- 0xd8cb8:$s2: /WindowState ""
- 0xda6a6:$s2: /WindowState ""
- 0xd8ce2:$s3: /PriorityClass ""32"" /CommandLine "
- 0xda6cc:$s3: /PriorityClass ""32"" /CommandLine "
- 0xd8d2e:$s4: /StartDirectory "
- 0xda718:$s4: /StartDirectory "
- 0xd8d54:$s5: /RunAs
- 0xda73e:$s5: /RunAs
|
| 0.2.qpwx2wT5ky.exe.3170000.2.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0xd92aa:$s1: This file can't run into Virtual Machines
- 0xd91a6:$s4: Run without emulation
- 0xd9380:$s5: Run using valid operating system
- 0xd9076:$v1: SbieDll.dll
- 0xd8e11:$v2: USER
- 0xd93c2:$v2: USER
- 0xd93cc:$v3: SANDBOX
- 0xd93dc:$v4: VIRUS
- 0xd9424:$v4: VIRUS
- 0xd93e8:$v5: MALWARE
- 0xd93f8:$v6: SCHMIDTI
- 0xd940a:$v7: CURRENTUSER
|
| 2.0.LaunchWinApp.exe.400000.2.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.2.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.7.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.7.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.1.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.1.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 2.0.LaunchWinApp.exe.400000.5.unpack | JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | |
| 2.0.LaunchWinApp.exe.400000.5.unpack | MALWARE_Win_Raccoon | Raccoon stealer payload | ditekSHen | - 0x7ca7c:$s1: inetcomm server passwords
- 0x85544:$s4: CredEnumerateW
- 0x7c648:$s5: %[^:]://%[^/]%[^
- 0x7c664:$s6: %99[^:]://%99[^/]%99[^
- 0x79650:$s8: m_it.object_iterator != m_object->m_value.object->end()
- 0x7bd28:$x1: endptr == token_buffer.data() + token_buffer.size()
- 0x7b6e8:$x2: \json.hpp
- 0x7c034:$x3: Microsoft_WinInet_
- 0x7c144:$x3: Microsoft_WinInet_
- 0x7c144:$x4: Microsoft_WinInet_*
|
| 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack | JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | |
| 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack | INDICATOR_SUSPICIOUS_DisableWinDefender | Detects executables containing artifcats associated with disabling Widnows Defender | ditekSHen | - 0xdadc4:$e1: Microsoft\Windows Defender\Exclusions\Paths
- 0xdae20:$e2: Add-MpPreference -ExclusionPath
|
| 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen | - 0xdc3a3:$s1: c:\windows\system32\cmstp.exe
- 0xdc13f:$s2: taskkill /IM cmstp.exe /F
- 0xdbffb:$s5: RunPreSetupCommands=RunPreSetupCommandsSection
- 0xdc231:$s6: "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""
|
| 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen | - 0xdab92:$r1: Classes\Folder\shell\open\command
- 0xdabd6:$k1: DelegateExecute
- 0xdaa92:$s1: /EXEFilename "{0}
- 0xdaab8:$s2: /WindowState ""
- 0xdc4a6:$s2: /WindowState ""
- 0xdaae2:$s3: /PriorityClass ""32"" /CommandLine "
- 0xdc4cc:$s3: /PriorityClass ""32"" /CommandLine "
- 0xdab2e:$s4: /StartDirectory "
- 0xdc518:$s4: /StartDirectory "
- 0xdab54:$s5: /RunAs
- 0xdc53e:$s5: /RunAs
|
| 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack | INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen | - 0xdb0aa:$s1: This file can't run into Virtual Machines
- 0xdafa6:$s4: Run without emulation
- 0xdb180:$s5: Run using valid operating system
- 0xdae76:$v1: SbieDll.dll
- 0xdac11:$v2: USER
- 0xdb1c2:$v2: USER
- 0xdb1cc:$v3: SANDBOX
- 0xdb1dc:$v4: VIRUS
- 0xdb224:$v4: VIRUS
- 0xdb1e8:$v5: MALWARE
- 0xdb1f8:$v6: SCHMIDTI
- 0xdb20a:$v7: CURRENTUSER
|
| Click to see the 77 entries |
Edit tour
qpwx2wT5ky.exe (PID: 6428 cmdline: 
WerFault.exe (PID: 5952 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node