Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67745
Start time:11:56:38
Joe Sandbox Product:CloudBasic
Start date:12.07.2018
Overall analysis duration:0h 8m 12s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:xxxe.tkn (renamed file extension from tkn to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:19
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.phis.spyw.troj.winEXE@23/34@9/0
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 177
  • Number of non-executed functions: 367
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 38.7% (good quality ratio 30.2%)
  • Quality average: 65.8%
  • Quality standard deviation: 39.6%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 3.2.crypmgmt.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.2.xxxe.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff3_2_00651C57
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie3_2_00651C57
Source: C:\Windows\System32\cmd.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff14_2_002F1C57
Source: C:\Windows\System32\cmd.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie14_2_002F1C57
Source: C:\Windows\System32\cmd.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff16_2_00331C57
Source: C:\Windows\System32\cmd.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie16_2_00331C57
Source: C:\Windows\System32\attrib.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff17_2_00171C57
Source: C:\Windows\System32\attrib.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie17_2_00171C57
Source: C:\Windows\System32\attrib.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff19_2_00551C57
Source: C:\Windows\System32\attrib.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie19_2_00551C57

Networking:

barindex
Found Tor onion addressShow sources
Source: crypmgmt.exe, 00000003.00000002.16479005041.00672000.00000004.sdmpString found in binary or memory: .onion/
Source: cmd.exe, 0000000E.00000002.16434226914.00312000.00000004.sdmpString found in binary or memory: .onion/
Source: cmd.exe, 00000010.00000003.16426554169.001B0000.00000004.sdmpString found in binary or memory: .onion/
Source: attrib.exe, 00000011.00000003.16428728633.00110000.00000004.sdmpString found in binary or memory: .onion/
Source: attrib.exe, 00000013.00000003.16433757178.00320000.00000004.sdmpString found in binary or memory: .onion/
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: myip.opendns.com
Source: unknownDNS query: name: myip.opendns.com
Uses nslookup.exe to query domainsShow sources
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: resolver1.opendns.com
Urls found in memory or binary dataShow sources
Source: crypmgmt.exe, 00000003.00000002.16479005041.00672000.00000004.sdmp, cmd.exe, 0000000E.00000002.16434226914.00312000.00000004.sdmp, cmd.exe, 00000010.00000003.16426554169.001B0000.00000004.sdmp, attrib.exe, 00000011.00000003.16428728633.00110000.00000004.sdmp, attrib.exe, 00000013.00000003.16433757178.00320000.00000004.sdmpString found in binary or memory: file://
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop0
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktopln
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmp, explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3R
Source: explorer.exe, 00000002.00000000.16144153768.003AD000.00000004.sdmpString found in binary or memory: file:///c:/program%20files/java/jre1.8.0_144/bin/java.exer
Source: attrib.exeString found in binary or memory: http://
Source: crypmgmt.exe, 00000003.00000002.16479005041.00672000.00000004.sdmp, cmd.exe, 0000000E.00000002.16434226914.00312000.00000004.sdmp, cmd.exe, 00000010.00000003.16426554169.001B0000.00000004.sdmp, attrib.exe, 00000011.00000003.16428728633.00110000.00000004.sdmp, attrib.exe, 00000013.00000003.16433757178.00320000.00000004.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: explorer.exe, 00000002.00000000.16156142859.074E0000.00000004.sdmpString found in binary or memory: http://java.com/
Source: explorer.exe, 00000002.00000000.16158438082.003DA000.00000004.sdmpString found in binary or memory: http://java.com/5A4J
Source: explorer.exe, 00000002.00000000.16149251430.03A39000.00000004.sdmpString found in binary or memory: http://java.com/A
Source: explorer.exe, 00000002.00000000.16158438082.003DA000.00000004.sdmpString found in binary or memory: http://java.com/F2EL
Source: explorer.exe, 00000002.00000000.16169209887.08110000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: explorer.exe, 00000002.00000000.16169209887.08110000.00000004.sdmpString found in binary or memory: http://java.com/helphttp://java.com/help
Source: explorer.exe, 00000002.00000000.16169209887.08110000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/
Source: explorer.exe, 00000002.00000000.16158438082.003DA000.00000004.sdmpString found in binary or memory: http://java.com/~
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://schemas.m
Source: explorer.exe, 00000002.00000000.16161531524.03470000.00000008.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000002.00000000.16146272952.01D00000.00000008.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.ico
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://www.bing.com/search
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://www.bing.com/search?format=rss&q=firefox&FORM=IE8SRC
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://www.bing.com/search?format=rss&q=firefox&FORM=IE8SRCO
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://www.bing.com/search?q=firefox&FORM=IE8SRC
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://www.bing.com/searchb
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpS
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: attrib.exeString found in binary or memory: https://
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%2
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/de/firefox/new
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/new
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2
Source: explorer.exe, 00000002.00000000.16162071979.03950000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2v

Boot Survival:

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
Source: C:\Users\user\Desktop\xxxe.exeWindow found: window name: ProgManJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DeviutilJump to behavior
Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DeviutilJump to behavior

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account<.oeaccountJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account{*}.oeaccountJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknownJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *Jump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknownJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\prefs.jsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\explorer.exeKey opened: HKEY_USERS\Software\Microsoft\Windows Live MailJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_004014DD LoadLibraryA,GetProcAddress,1_1_004014DD
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C4F57 push ecx; ret 1_2_002C4F67
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00441310 push dword ptr [edx+2A5A8699h]; ret 1_2_0044138A
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0043E6D1 push eax; iretd 1_2_0043E6D3
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0043DC72 push ebp; retf 1_2_0043DC79
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0046A939 push ecx; ret 1_2_0046A94C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004412D0 push dword ptr [edx+2A5A8699h]; ret 1_2_0044138A
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004433CF push edx; retf 1_2_004433D1
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00465319 push ecx; ret 1_2_0046532C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004417EE push esi; ret 1_2_004417F3
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00441F82 push ebp; iretd 1_2_00441F83
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0043E48C push ss; iretd 1_2_0043E48E
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00443201 push es; iretd 1_2_00443204
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0048D80A push es; iretd 1_2_0048D80D
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_004563BA push cs; ret 1_1_004563FC
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_0046A939 push ecx; ret 1_1_0046A94C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00465319 push ecx; ret 1_1_0046532C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00403CE7 push cs; iretd 1_1_00403CF4
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00408A9B push ebx; ret 1_1_00408A9C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00441310 push dword ptr [edx+2A5A8699h]; ret 3_2_0044138A
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0043E6D1 push eax; iretd 3_2_0043E6D3
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0043DC72 push ebp; retf 3_2_0043DC79
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0046A939 push ecx; ret 3_2_0046A94C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004412D0 push dword ptr [edx+2A5A8699h]; ret 3_2_0044138A
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004433CF push edx; retf 3_2_004433D1
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00465319 push ecx; ret 3_2_0046532C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004417EE push esi; ret 3_2_004417F3
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00441F82 push ebp; iretd 3_2_00441F83
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0043E48C push ss; iretd 3_2_0043E48E
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00443201 push es; iretd 3_2_00443204
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0048D80A push es; iretd 3_2_0048D80D
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0066E5AB push ecx; ret 3_2_0066E5BB

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C421E CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,HeapFree,HeapFree,1_2_002C421E
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00660422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_00660422
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006600A3 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,3_2_006600A3
Source: C:\Windows\System32\cmd.exeCode function: 14_2_003000A3 memset,FindFirstFileW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,14_2_003000A3
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00300422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,14_2_00300422
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00340422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,16_2_00340422
Source: C:\Windows\System32\cmd.exeCode function: 16_2_003400A3 memset,FindFirstFileW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,16_2_003400A3
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00180422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,17_2_00180422
Source: C:\Windows\System32\attrib.exeCode function: 17_2_001800A3 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,17_2_001800A3
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00560422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,19_2_00560422
Source: C:\Windows\System32\attrib.exeCode function: 19_2_005600A3 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,19_2_005600A3

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C38DA memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_002C38DA
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3E85 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_002C3E85
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C2702 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,1_2_002C2702
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C1C25 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,1_2_002C1C25
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3095 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,1_2_002C3095
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3E44 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_002C3E44
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C26C3 NtMapViewOfSection,RtlNtStatusToDosError,1_2_002C26C3
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3E03 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_002C3E03
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3D6C NtQuerySystemInformation,RtlNtStatusToDosError,1_2_002C3D6C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3C78 memset,NtQueryInformationProcess,1_2_002C3C78
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C3ED5 NtGetContextThread,NtGetContextThread,1_2_002C3ED5
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00661637 NtQueryInformationProcess,3_2_00661637
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006628B4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_006628B4
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0065E2A0 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,3_2_0065E2A0
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0065DA37 memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,3_2_0065DA37
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00666DD0 NtMapViewOfSection,RtlNtStatusToDosError,3_2_00666DD0
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006621E7 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_006621E7
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00665EFC memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,3_2_00665EFC
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00666E0F NtCreateSection,memset,RtlNtStatusToDosError,NtClose,3_2_00666E0F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00661E8B memset,NtQueryInformationProcess,3_2_00661E8B
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00679040 NtProtectVirtualMemory,NtProtectVirtualMemory,3_2_00679040
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00679018 NtProtectVirtualMemory,NtProtectVirtualMemory,3_2_00679018
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B2702 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,3_2_006B2702
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B3095 NtOpenProcess,NtOpenProcessToken,NtClose,NtClose,3_2_006B3095
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B26C3 NtMapViewOfSection,RtlNtStatusToDosError,3_2_006B26C3
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B1C25 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,3_2_006B1C25
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B3D6C NtQuerySystemInformation,RtlNtStatusToDosError,3_2_006B3D6C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B3C78 memset,NtQueryInformationProcess,3_2_006B3C78
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00301637 NtQueryInformationProcess,14_2_00301637
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00305EFC memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,14_2_00305EFC
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00306E0F NtCreateSection,memset,RtlNtStatusToDosError,NtClose,14_2_00306E0F
Source: C:\Windows\System32\cmd.exeCode function: 14_2_003022BD NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,14_2_003022BD
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00306DD0 NtMapViewOfSection,RtlNtStatusToDosError,14_2_00306DD0
Source: C:\Windows\System32\cmd.exeCode function: 14_2_003022FE NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,14_2_003022FE
Source: C:\Windows\System32\cmd.exeCode function: 14_2_0030227C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,14_2_0030227C
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00301E8B memset,NtQueryInformationProcess,14_2_00301E8B
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00301AEB memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,14_2_00301AEB
Source: C:\Windows\System32\cmd.exeCode function: 14_2_003028B4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,14_2_003028B4
Source: C:\Windows\System32\cmd.exeCode function: 14_2_002FDA37 memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,14_2_002FDA37
Source: C:\Windows\System32\cmd.exeCode function: 14_2_003021E7 NtQuerySystemInformation,RtlNtStatusToDosError,14_2_003021E7
Source: C:\Windows\System32\cmd.exeCode function: 14_2_002FE2A0 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,14_2_002FE2A0
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00319040 NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_00319040
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00319018 NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_00319018
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00341637 NtQueryInformationProcess,16_2_00341637
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00346E0F NtCreateSection,memset,RtlNtStatusToDosError,NtClose,16_2_00346E0F
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00345EFC memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,16_2_00345EFC
Source: C:\Windows\System32\cmd.exeCode function: 16_2_003428B4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,16_2_003428B4
Source: C:\Windows\System32\cmd.exeCode function: 16_2_003422FE NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,16_2_003422FE
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00346DD0 NtMapViewOfSection,RtlNtStatusToDosError,16_2_00346DD0
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00341E8B memset,NtQueryInformationProcess,16_2_00341E8B
Source: C:\Windows\System32\cmd.exeCode function: 16_2_0034227C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,16_2_0034227C
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00341AEB memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,16_2_00341AEB
Source: C:\Windows\System32\cmd.exeCode function: 16_2_003422BD NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,16_2_003422BD
Source: C:\Windows\System32\cmd.exeCode function: 16_2_0033E2A0 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,16_2_0033E2A0
Source: C:\Windows\System32\cmd.exeCode function: 16_2_0033DA37 memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,16_2_0033DA37
Source: C:\Windows\System32\cmd.exeCode function: 16_2_003421E7 NtQuerySystemInformation,RtlNtStatusToDosError,16_2_003421E7
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00359040 NtProtectVirtualMemory,NtProtectVirtualMemory,16_2_00359040
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00359018 NtProtectVirtualMemory,NtProtectVirtualMemory,16_2_00359018
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00181637 NtQueryInformationProcess,17_2_00181637
Source: C:\Windows\System32\attrib.exeCode function: 17_2_001828B4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,17_2_001828B4
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00186DD0 NtMapViewOfSection,RtlNtStatusToDosError,17_2_00186DD0
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00186E0F NtCreateSection,memset,RtlNtStatusToDosError,NtClose,17_2_00186E0F
Source: C:\Windows\System32\attrib.exeCode function: 17_2_0017E2A0 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,17_2_0017E2A0
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00181E8B memset,NtQueryInformationProcess,17_2_00181E8B
Source: C:\Windows\System32\attrib.exeCode function: 17_2_0017DA37 memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,17_2_0017DA37
Source: C:\Windows\System32\attrib.exeCode function: 17_2_001821E7 NtQuerySystemInformation,RtlNtStatusToDosError,17_2_001821E7
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00185EFC memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,17_2_00185EFC
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00199040 NtProtectVirtualMemory,NtProtectVirtualMemory,17_2_00199040
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00199018 NtProtectVirtualMemory,NtProtectVirtualMemory,17_2_00199018
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00561637 NtQueryInformationProcess,19_2_00561637
Source: C:\Windows\System32\attrib.exeCode function: 19_2_005628B4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,19_2_005628B4
Source: C:\Windows\System32\attrib.exeCode function: 19_2_0055E2A0 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,19_2_0055E2A0
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00566E0F NtCreateSection,memset,RtlNtStatusToDosError,NtClose,19_2_00566E0F
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00561E8B memset,NtQueryInformationProcess,19_2_00561E8B
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00566DD0 NtMapViewOfSection,RtlNtStatusToDosError,19_2_00566DD0
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00565EFC memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,19_2_00565EFC
Source: C:\Windows\System32\attrib.exeCode function: 19_2_0055DA37 memset,CreateMutexA,GetLastError,CloseHandle,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,RtlAllocateHeap,LoadLibraryA,RtlAllocateHeap,wsprintfA,19_2_0055DA37
Source: C:\Windows\System32\attrib.exeCode function: 19_2_005621E7 NtQuerySystemInformation,RtlNtStatusToDosError,19_2_005621E7
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00579040 NtProtectVirtualMemory,NtProtectVirtualMemory,19_2_00579040
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00579018 NtProtectVirtualMemory,NtProtectVirtualMemory,19_2_00579018
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0066697A CreateProcessAsUserW,3_2_0066697A
Creates mutexesShow sources
Source: C:\Windows\System32\attrib.exeMutant created: \Sessions\1\BaseNamedObjects\{6C597A24-DB85-7E01-C560-3F92C994E3E6}
Source: C:\Windows\System32\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\{5C758A1C-0B91-EEB2-7550-6F0279841356}
Source: C:\Windows\System32\attrib.exeMutant created: \Sessions\1\BaseNamedObjects\{64678220-730B-365A-1DD8-57CAA18C7B9E}
Source: C:\Windows\System32\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\{C89E511F-87B3-3ADB-517C-AB0E15700F22}
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeMutant created: \Sessions\1\BaseNamedObjects\{90008A03-AF5A-4248-B9C4-5396FD38372A}
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C4F681_2_002C4F68
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004751DF1_2_004751DF
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004703571_2_00470357
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0046F0331_2_0046F033
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00476B7C1_2_00476B7C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0046B74E1_2_0046B74E
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004757231_2_00475723
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00474C9B1_2_00474C9B
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_004642801_2_00464280
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_004751DF1_1_004751DF
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_0046F0331_1_0046F033
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00476B7C1_1_00476B7C
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_0046B74E1_1_0046B74E
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_004757231_1_00475723
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00474C9B1_1_00474C9B
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00401D601_1_00401D60
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00475E1B1_1_00475E1B
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_004642801_1_00464280
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004751DF3_2_004751DF
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004703573_2_00470357
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0046F0333_2_0046F033
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00476B7C3_2_00476B7C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0046B74E3_2_0046B74E
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004757233_2_00475723
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00474C9B3_2_00474C9B
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_004642803_2_00464280
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00654B2F3_2_00654B2F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0066E5BC3_2_0066E5BC
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0065EB9F3_2_0065EB9F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006B4F683_2_006B4F68
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_004751DF3_1_004751DF
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_0046F0333_1_0046F033
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_00476B7C3_1_00476B7C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_0046B74E3_1_0046B74E
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_004757233_1_00475723
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_00474C9B3_1_00474C9B
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_00401D603_1_00401D60
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_00475E1B3_1_00475E1B
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_004642803_1_00464280
Source: C:\Windows\System32\cmd.exeCode function: 14_2_002FEB9F14_2_002FEB9F
Source: C:\Windows\System32\cmd.exeCode function: 14_2_002F4B2F14_2_002F4B2F
Source: C:\Windows\System32\cmd.exeCode function: 14_2_0030E5BC14_2_0030E5BC
Source: C:\Windows\System32\cmd.exeCode function: 16_2_0033EB9F16_2_0033EB9F
Source: C:\Windows\System32\cmd.exeCode function: 16_2_0034E5BC16_2_0034E5BC
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00334B2F16_2_00334B2F
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00174B2F17_2_00174B2F
Source: C:\Windows\System32\attrib.exeCode function: 17_2_0017EB9F17_2_0017EB9F
Source: C:\Windows\System32\attrib.exeCode function: 17_2_0018E5BC17_2_0018E5BC
Source: C:\Windows\System32\attrib.exeCode function: 19_2_0055EB9F19_2_0055EB9F
Source: C:\Windows\System32\attrib.exeCode function: 19_2_0056E5BC19_2_0056E5BC
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00554B2F19_2_00554B2F
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: String function: 0046B143 appears 38 times
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: String function: 0046527A appears 46 times
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: String function: 0046A8F4 appears 84 times
Source: C:\Users\user\Desktop\xxxe.exeCode function: String function: 0046B143 appears 38 times
Source: C:\Users\user\Desktop\xxxe.exeCode function: String function: 0046527A appears 46 times
Source: C:\Users\user\Desktop\xxxe.exeCode function: String function: 0046A8F4 appears 84 times
PE file contains strange resourcesShow sources
Source: xxx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: xxx.exeBinary or memory string: OriginalFilenamekingrange.exeB vs xxx.exe
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: xxx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.phis.spyw.troj.winEXE@23/34@9/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0065BA0B CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,3_2_0065BA0B
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\xxxe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\DtshsPubJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\4E3E.binJump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\CB21\CC15.bat' 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.inf''
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................................................A.p.p.D.a.t.a.\.L.o.c.a.v.&..... ........E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........|.....Ow@..J..?.................$...(.........dw....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................a.t.t.r.i.b......................................R?.<..J.....bNw..\u....$...,.....................nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0......................................................R?.<..J.....bNw..&.0............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........................................................................................@F.J..&.P............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................................................A.p.p.D.a.t.a.\.L.o.c.a.v.&..... ........E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........|.....Ow@..J..@.................$...(.........dw....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................d.e.l............................................PC.<..J.....bNw..\u....$...,.....................nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0......................................................PC.<..J.....bNw..&.0............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........................................................................................@F.J..&.P............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .........'.@......... ..........E..J.........'.@....@F.J. ............B.V..J .A.......A.........#..w........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ...................................................................../A.p.D.<....+Ow5...@..Jv.&..... ........E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.<....+Ow5...@..Jv.&.......O.$...(.........dw....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ..............................................J.....PC.<..J.....bNw..&.0............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.......................................................................&..............H.J....x...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................g.o.t.o.......................................................&.........................@F.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .4.5.8.3.2.8.0. .....................................................&...&..............E.J....|...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........................................................................SF.Jd4/.D...B...H.....&.P............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................................................A.p.p.D.a.t.a.\.L.o.c.a.v.&..... ........E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.a.t.a.\.L.o.c.a.v.&.......O.$...(.........dw....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................d.e.l............................................PC.<..J.....bNw..\u....$...,.....................nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0......................................................PC.<..J.....bNw..&.0.......l....E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........................................"...............................l...............@F.J..&.P............E.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........l#..........T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.................#..w`...B...`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...)...........................A.p.p.D.a.t.a.\.L.o.c.a.......+.P.+......E.J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>...........+...Ow@..J................(.+.T.+.(.....+...dw..+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................a.t.t.r.i.b.....`...5...............................<..J.....bNw..\u....T.+.\.+...+...............nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............`...;.......................................<..J.....bNw....`.+..........E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...A...............................................@F.J......+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...............................A.p.p.D.a.t.a.\.L.o.c.a.......+.P.+......E.J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>...........+...Ow@..J`...............(.+.T.+.(.....+...dw..+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................d.e.l...........`...................................<..J.....bNw..\u....T.+.\.+...+...............nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............`...........................................<..J.....bNw....`.+..........E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...................................................@F.J......+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .........'.@......... ..D.+...+.E..J.........'.@....@F.J. ..D.+.........V..JP...........D.+.....#..w........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...............................P...p.D......*......(+........+.P.+......E.J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D......*......(+........+.0.2.T.+.(.....+...dw..+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................i.f. ...........`..................................J........<..J.....bNw....`.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............`...............................`.......................i...@.+..........H.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................g.o.t.o.........`...........................................i...@.+...............+.....@F.J........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .4.5.8.4.5.9.2. ...................................................i.......D.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...................................SF.Jc...t.+.B...x.+.......+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...............................A.p.p.D.a.t.a.\.L.o.c.a.......+.P.+......E.J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........p.D.a.t.a.\.L.o.c.a.......+.0.2.T.+.(.....+...dw..+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................d.e.l...........`...................................<..J.....bNw..\u....T.+.\.+...+...............nwJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............`...........................................<..J.....bNw....`.+.....l....E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................................`...................................l...............@F.J......+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........l#..........T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d...........+.....#..w..+.B...`.....,.....Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: xxx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\xxxe.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\xxxe.exe 'C:\Users\user\Desktop\xxxe.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe 'C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\HERBBL~1\AppData\Local\Temp\D258.bi1'
Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\HERBBL~1\AppData\Local\Temp\D258.bi1'
Source: unknownProcess created: C:\Windows\System32\makecab.exe makecab.exe /F 'C:\Users\HERBBL~1\AppData\Local\Temp\4E3E.bin'
Source: unknownProcess created: C:\Windows\System32\makecab.exe makecab.exe /F 'C:\Users\HERBBL~1\AppData\Local\Temp\CFAA.bin'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\CB21\CC15.bat' 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.inf''
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\F8B1\D7F5.bat' 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.rpt''
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib -r -s -h 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.inf'
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib -r -s -h 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.rpt'
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe 'C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\HERBBL~1\AppData\Local\Temp\D258.bi1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\HERBBL~1\AppData\Local\Temp\D258.bi1'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\makecab.exe makecab.exe /F 'C:\Users\HERBBL~1\AppData\Local\Temp\4E3E.bin'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\makecab.exe makecab.exe /F 'C:\Users\HERBBL~1\AppData\Local\Temp\CFAA.bin'Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\CB21\CC15.bat' 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.inf''Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\F8B1\D7F5.bat' 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.rpt''Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r -s -h 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.inf'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r -s -h 'C:\Users\user\AppData\Roaming\Microsoft\{6A49CDA0-C1E9-2CB8-9B3E-8520FF528954}\setup.rpt'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\explorer.exeKey opened: HKEY_USERS\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: xxx.exeStatic file information: File size 1057280 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
PE file contains a debug data directoryShow sources
Source: xxx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Anger\Son\Meet\mind\meant\safe\Yard\DownSubtract.pdb source: xxxe.exe, 00000001.00000000.16029148022.00478000.00000002.sdmp, crypmgmt.exe, 00000003.00000000.16184309897.00478000.00000002.sdmp, xxx.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\xxxe.exeMemory allocated: C:\Windows\explorer.exe base: 2E10000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe base: 3B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\cmd.exe base: 350000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\cmd.exe base: 1A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\cmd.exeMemory allocated: C:\Windows\System32\attrib.exe base: 100000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\cmd.exeMemory allocated: C:\Windows\System32\attrib.exe base: 310000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\xxxe.exeMemory protected: C:\Windows\explorer.exe base: 774CF515 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory protected: C:\Windows\explorer.exe base: 774CF515 protect: page execute readJump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory protected: C:\Windows\explorer.exe base: 774CF515 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory protected: C:\Windows\explorer.exe base: 774CF515 protect: page execute readJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\Desktop\xxxe.exeThread created: C:\Windows\explorer.exe EIP: 774CF515Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\Desktop\xxxe.exeMemory written: PID: 1432 base: 774CF515 value: EBJump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory written: PID: 1432 base: 2E10000 value: 15Jump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory written: PID: 1432 base: 774CF515 value: 8BJump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\xxxe.exeSection loaded: unknown target pid: 1432 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\xxxe.exeThread register set: target process: 1432Jump to behavior
Source: C:\Windows\explorer.exeThread register set: target process: 3460Jump to behavior
Source: C:\Windows\explorer.exeThread register set: target process: 3712Jump to behavior
Source: C:\Windows\explorer.exeThread register set: target process: 3740Jump to behavior
Source: C:\Windows\System32\cmd.exeThread register set: target process: 3752Jump to behavior
Source: C:\Windows\System32\cmd.exeThread register set: target process: 3792Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\xxxe.exeMemory written: C:\Windows\explorer.exe base: 774CF515Jump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory written: C:\Windows\explorer.exe base: 2E10000Jump to behavior
Source: C:\Users\user\Desktop\xxxe.exeMemory written: C:\Windows\explorer.exe base: 774CF515Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe base: 46481EJump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe base: 3B0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe base: 46481EJump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\cmd.exe base: 4AC3829AJump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\cmd.exe base: 350000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\cmd.exe base: 4AC3829AJump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\cmd.exe base: 4AC3829AJump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\cmd.exe base: 1A0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\cmd.exe base: 4AC3829AJump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\attrib.exe base: B92989Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\attrib.exe base: 100000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\attrib.exe base: B92989Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\attrib.exe base: B92989Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\attrib.exe base: 310000Jump to behavior
Source: C:\Windows\System32\cmd.exeMemory written: C:\Windows\System32\attrib.exe base: B92989Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000002.00000000.16144153768.003AD000.00000004.sdmpBinary or memory string: Progmanp-
Source: xxxe.exe, 00000001.00000002.16171383891.002C7000.00000004.sdmpBinary or memory string: ProgMan
Source: explorer.exe, 00000002.00000000.16144788402.00780000.00000002.sdmp, crypmgmt.exe, 00000003.00000000.16186273637.00740000.00000002.sdmp, cmd.exe, 0000000E.00000000.16414109672.005E0000.00000002.sdmp, cmd.exe, 00000010.00000000.16423882287.00590000.00000002.sdmp, attrib.exe, 00000011.00000000.16426345551.00BA0000.00000002.sdmp, attrib.exe, 00000013.00000000.16431959689.00BA0000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000002.00000000.16144788402.00780000.00000002.sdmp, crypmgmt.exe, 00000003.00000000.16186273637.00740000.00000002.sdmp, makecab.exe, 0000000A.00000003.16408373651.01239000.00000004.sdmp, makecab.exe, 0000000C.00000003.16410770230.0113A000.00000004.sdmp, cmd.exe, 0000000E.00000000.16414109672.005E0000.00000002.sdmp, cmd.exe, 00000010.00000000.16423882287.00590000.00000002.sdmp, attrib.exe, 00000011.00000000.16426345551.00BA0000.00000002.sdmp, attrib.exe, 00000013.00000000.16431959689.00BA0000.00000002.sdmp, 01D419C708D6A2900B.2.drBinary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.16144788402.00780000.00000002.sdmp, crypmgmt.exe, 00000003.00000000.16186273637.00740000.00000002.sdmp, cmd.exe, 0000000E.00000000.16414109672.005E0000.00000002.sdmp, cmd.exe, 00000010.00000000.16423882287.00590000.00000002.sdmp, attrib.exe, 00000011.00000000.16426345551.00BA0000.00000002.sdmp, attrib.exe, 00000013.00000000.16431959689.00BA0000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_herb_blackburn_appdata_roaming_microsoft_dtshspub_6394ae488fbaac2e.cdf-ms
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0046405A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0046405A
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_004014DD LoadLibraryA,GetProcAddress,1_1_004014DD
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002B04EC mov eax, dword ptr fs:[00000030h]1_2_002B04EC
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002B00C2 push dword ptr fs:[00000030h]1_2_002B00C2
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0048D24A mov eax, dword ptr fs:[00000030h]1_2_0048D24A
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0048CE20 push dword ptr fs:[00000030h]1_2_0048CE20
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_003C04EC mov eax, dword ptr fs:[00000030h]3_2_003C04EC
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_003C00C2 push dword ptr fs:[00000030h]3_2_003C00C2
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0048D24A mov eax, dword ptr fs:[00000030h]3_2_0048D24A
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0048CE20 push dword ptr fs:[00000030h]3_2_0048CE20
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0046611F SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0046611F
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_0046405A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0046405A
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00464362 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00464362
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_00463FCF SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00463FCF
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_0046611F SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_0046611F
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_0046405A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_0046405A
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00464362 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_00464362
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_1_00463FCF SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_00463FCF
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0046611F SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0046611F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0046405A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0046405A
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00464362 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00464362
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00463FCF SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00463FCF
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0065DF26 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_0065DF26
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_0046611F SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_1_0046611F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_0046405A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_1_0046405A
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_00464362 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_1_00464362
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_1_00463FCF SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_1_00463FCF
Source: C:\Windows\System32\cmd.exeCode function: 14_2_002FDF26 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,14_2_002FDF26
Source: C:\Windows\System32\cmd.exeCode function: 16_2_0033DF26 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,16_2_0033DF26
Source: C:\Windows\System32\attrib.exeCode function: 17_2_0017DF26 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,17_2_0017DF26
Source: C:\Windows\System32\attrib.exeCode function: 19_2_0055DF26 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,19_2_0055DF26

Malware Analysis System Evasion:

barindex
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeStalling execution: Execution stalls by calling Sleepgraph_3-24398
Source: C:\Users\user\Desktop\xxxe.exeStalling execution: Execution stalls by calling Sleepgraph_1-14496
Found evasive API chain (date check)Show sources
Source: C:\Windows\System32\cmd.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\attrib.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-24783
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-24043
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\xxxe.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-14001
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeAPI coverage: 7.0 %
Source: C:\Windows\System32\cmd.exeAPI coverage: 7.1 %
Source: C:\Windows\System32\cmd.exeAPI coverage: 6.9 %
Source: C:\Windows\System32\attrib.exeAPI coverage: 4.3 %
Source: C:\Windows\System32\attrib.exeAPI coverage: 4.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\xxxe.exe TID: 3388Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\xxxe.exe TID: 3392Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe TID: 3488Thread sleep count: 50 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe TID: 3492Thread sleep count: 56 > 30Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C421E CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,HeapFree,HeapFree,1_2_002C421E
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_00660422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_00660422
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006600A3 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,3_2_006600A3
Source: C:\Windows\System32\cmd.exeCode function: 14_2_003000A3 memset,FindFirstFileW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,14_2_003000A3
Source: C:\Windows\System32\cmd.exeCode function: 14_2_00300422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,14_2_00300422
Source: C:\Windows\System32\cmd.exeCode function: 16_2_00340422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,16_2_00340422
Source: C:\Windows\System32\cmd.exeCode function: 16_2_003400A3 memset,FindFirstFileW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,16_2_003400A3
Source: C:\Windows\System32\attrib.exeCode function: 17_2_00180422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,17_2_00180422
Source: C:\Windows\System32\attrib.exeCode function: 17_2_001800A3 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,17_2_001800A3
Source: C:\Windows\System32\attrib.exeCode function: 19_2_00560422 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,19_2_00560422
Source: C:\Windows\System32\attrib.exeCode function: 19_2_005600A3 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,19_2_005600A3
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpBinary or memory string: I@oVmciJGbhN2aiVncuBAAAYRqMzNQvfPQC2obJf4QsE1j2NO6pu35R4pryKsd/yJiWkKzcD073DkgN6WyHOELR9odjjeq7deEe6qsCb3vciIAAAAAers`
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpBinary or memory string: AAAAoVmciJ
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpBinary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAAooLB4aPMdAgg4AGu2DTHAIIOghr9w0BAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkXAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAgYAEDAAAAAAcwSLbFEAgURSJkQM5XMAAgSAgAAEAw7+ewSFb1BLtsVqAAAA8CAAAAAAYAAAAAAAAAAAAAAAAAAAAASAUGAyBgYAACACBAbAEGAjBwaAIGA1BgcA4GAAAAGAQHAxAAAAAAAHs0yWFBANV3cpNGAgBACAQAAv77BLZsVHs0yWpCAAAweBAAAAAgAAAAAAAAAAAAA2AAAAAAANBQdAMHApBwYAAAAABwcAgGAlBAbAwGAzAgMA4CAkBAbAwGAsAQLAIDAxAwNAkDAwAAAAQBAAAwdAAAAcAAAAMAAAAAHAAAAtAAAAgDAAAgYAAAARAAAAMAAAAwsghINQAAAAAwQ6wVVzVmczxFAAoCAAAgAAAAAUAAAAAAAAAAAAIAAcxFSFJlQCxUQDtkQVJlTcV1clJ3cAgUZyJGICxWYjtmY1Jnbc1Udzl2YAABAAAQBAAAoNAAAAcXAAAAHAAAALAAAgGX1YvUGtNNS+epQiACCOM0dBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNAMDAzAAOAUDAtAQMAADAwAQMAAAAAAAAAAAAAAAYA
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpBinary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAUEFZo/KEocA4vLOr1DBKHA+7iza9QgyBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkZAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAAeAEDAAAAAAwoPSMREAAVdixWajBAAiBACAQAAv7r76MKFM6jEToCAAAA7BAAAAAQAAAAAAAAAAAAA4AAAAAAAQBQdAIGAsBQaAMGAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAgNAAAAWAgfAEDAAAAAA4uO9USEAAVajRXdyV2cAAgZAgAAEAw7+6uOjSh760TJqAAAAQfAAAAAAEAAAAAAAAAAAAAPAAAAAAAUAkGAjBAdAUHAyBQZAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAwAgMAAAAYAAAAIHAAAAHAAAADAAAAwBAAAQLAAAA4AAAAIGAAAQEAAAADAAAAMLYISDEAAAAAMkOcV1clJ3ccBAAqAAAAIAAAAAFAAAAAAAAAAAACAAXchURSJkQMF0QLJUVS5EXVNXZyNHAQVnYsl2YcBVajRXdyV2cAABAAAQBAAAo2AAAAcZAAAAHAAAALAAAga4+rb7BpxTQae/TCvK88V8lBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNAMDAz
Source: explorer.exe, 00000002.00000000.16148159395.02A60000.00000004.sdmpBinary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAYusWo/KEocA+ldcX8DBKHgfZH3F/QgyBAAEAAAAAAAABAAAAAAAAAAAAAAAAAAAAsZAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAAeAEDAAAAAAwoPSMREAAVdixWajBAAiBACAQAAv7r76MKFM6jEToCAAAA7BAAAAAQAAAAAAAAAAAAA4AAAAAAAQBQdAIGAsBQaAMGAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAgNAAAAWAAgAEDAAAAAA4uO8aSEAQ0TDVVTF5XMAAAaAgAAEAw7+6uOjSh76wrJqAAAA4eAAAAAAEAAAAAAAAAAAAgPAAAAAAARA8GAjBQdA0GAlBgbAQHAzBAAAAEAzBAaAUGAsBAbAMDAyAgLAQGAsBAbAwCAtAgMAEDA4AAMAEDAAAAGAAAAzBAAAwBAAAwAAAAAcAAAA0CAAAAOAAAAiBAAAEBAAAwAAAAAzCGi0ABAAAAADpDXVNXZyNHXAAgKAAAACAAAAQBAAAAAAAAAAAgAAwFXIVkUCJETBN0SCVlUOxVVzVmczBAU1JGbpNGXE92Y11WZuR3cAABAAAQBAAAouAAAAkZAAAAHAAAALAAAg+KJI1O5cjaRBKO/5VGC2QTmBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNA
Program exit pointsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeAPI call chain: ExitProcess graph end nodegraph_3-24304
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeAPI call chain: ExitProcess graph end nodegraph_3-24020
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeAPI call chain: ExitProcess graph end nodegraph_3-24498
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\xxxe.exeProcess information queried: ProcessInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
Source: explorer.exeIAT of a user mode module has changed: module: kernel32.dll function: CreateProcessAsUserW address: 7724900A
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: kernel32.dll function: CreateProcessAsUserW new code: 0xE9 0x96 0x6B 0xBD 0xD9 0x90
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_USERS\Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6Jump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\prefs.jsJump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,GetLocaleInfoA,1_2_0046ECDE
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLastError,WideCharToMultiByte,__freea,GetLocaleInfoA,1_2_0047260F
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,GetLocaleInfoA,1_2_0046EA00
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,1_2_0046EE42
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,1_2_00470BAE
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoW,1_2_004725CA
Source: C:\Users\user\Desktop\xxxe.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_0046ED9F
Source: C:\Users\user\Desktop\xxxe.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_0046EE06
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,1_2_0046E8E9
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,_GetPrimaryLen,_strlen,1_2_0046EA98
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,GetLocaleInfoA,1_1_0046ECDE
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,1_1_00467F76
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,GetLocaleInfoA,1_1_0046EA00
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,1_1_0046EB0C
Source: C:\Users\user\Desktop\xxxe.exeCode function: __getptd,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,1_1_0046EE42
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,1_1_00470BAE
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoW,1_1_004725CA
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,1_1_004725FE
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,___ascii_strnicmp,1_1_004734D5
Source: C:\Users\user\Desktop\xxxe.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_1_0046ED9F
Source: C:\Users\user\Desktop\xxxe.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_1_0046EE06
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,1_1_0046E8E9
Source: C:\Users\user\Desktop\xxxe.exeCode function: GetLocaleInfoA,_GetPrimaryLen,_strlen,1_1_0046EA98
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,GetLocaleInfoA,3_2_0046ECDE
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLastError,WideCharToMultiByte,__freea,GetLocaleInfoA,3_2_0047260F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,GetLocaleInfoA,3_2_0046EA00
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,3_2_0046EE42
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,3_2_00470BAE
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoW,3_2_004725CA
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_0046ED9F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_0046EE06
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,3_2_0046E8E9
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,_GetPrimaryLen,_strlen,3_2_0046EA98
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,GetLocaleInfoA,3_1_0046ECDE
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,3_1_00467F76
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,GetLocaleInfoA,3_1_0046EA00
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,3_1_0046EB0C
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: __getptd,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,3_1_0046EE42
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,3_1_00470BAE
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoW,3_1_004725CA
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,3_1_004725FE
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,___ascii_strnicmp,3_1_004734D5
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_1_0046ED9F
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_1_0046EE06
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,3_1_0046E8E9
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: GetLocaleInfoA,_GetPrimaryLen,_strlen,3_1_0046EA98
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_006677C7 cpuid 3_2_006677C7
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exeCode function: 3_2_0065C471 CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,3_2_0065C471
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C4A62 GetCurrentThreadId,GetSystemTimeAsFileTime,GetTempFileNameA,PathFindExtensionA,lstrcpy,1_2_002C4A62
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\xxxe.exeCode function: 1_2_002C296E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_002C296E

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 67745 Sample: xxxe.tkn Startdate: 12/07/2018 Architecture: WINDOWS Score: 100 43 May check the online IP address of the machine 2->43 45 Found Tor onion address 2->45 47 Uses nslookup.exe to query domains 2->47 49 3 other signatures 2->49 8 xxxe.exe 3 2->8         started        process3 file4 33 C:\Users\user\AppData\...\crypmgmt.exe, data 8->33 dropped 63 Found stalling execution ending in API Sleep call 8->63 65 Changes memory attributes in foreign processes to executable or writable 8->65 67 Injects code into the Windows Explorer (explorer.exe) 8->67 69 6 other signatures 8->69 12 explorer.exe 12 13 8->12 injected signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 12->35 dropped 71 Tries to steal Mail credentials (via file access) 12->71 73 Overwrites Mozilla Firefox settings 12->73 75 Searches for Windows Mail specific files 12->75 77 4 other signatures 12->77 16 cmd.exe 12->16         started        19 cmd.exe 12->19         started        21 crypmgmt.exe 12->21         started        23 4 other processes 12->23 signatures8 process9 signatures10 51 Writes to foreign memory regions 16->51 53 Allocates memory in foreign processes 16->53 55 Modifies the context of a thread in another process (thread injection) 16->55 25 attrib.exe 16->25         started        28 attrib.exe 19->28         started        57 Detected Gozi e-Banking trojan 21->57 59 Found stalling execution ending in API Sleep call 21->59 30 nslookup.exe 23->30         started        process11 dnsIp12 61 Detected Gozi e-Banking trojan 25->61 37 qdasdusndweenas.com 30->37 39 222.222.67.208.in-addr.arpa 30->39 41 3 other IPs or domains 30->41 signatures13

Simulations

Behavior and APIs

TimeTypeDescription
11:58:20API Interceptor1x Sleep call for process: xxxe.exe modified
11:58:27API Interceptor630x Sleep call for process: explorer.exe modified
11:58:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Deviutil C:\Users\user\AppData\Roaming\Microsoft\DtshsPub\crypmgmt.exe
11:58:32API Interceptor1x Sleep call for process: crypmgmt.exe modified
11:59:29API Interceptor1x Sleep call for process: nslookup.exe modified
11:59:36API Interceptor2x Sleep call for process: cmd.exe modified
11:59:39API Interceptor4x Sleep call for process: attrib.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
3.2.crypmgmt.exe.400000.0.unpack100%AviraTR/Dropper.Gen
1.2.xxxe.exe.400000.0.unpack100%AviraTR/Dropper.Gen

Domains

SourceDetectionScannerLabelLink
resolver1.opendns.com0%virustotalBrowse
myip.opendns.com0%virustotalBrowse
222.222.67.208.in-addr.arpa1%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
resolver1.opendns.comr.exe3cc984eac1c88f7d5eb6ea85e79a2be3430bf7dcbfc03bfa12acde8f60657198maliciousBrowse
  • 208.67.222.222
01.exe2e530f9942dd97b3e4705152fac00e741896db9b9d4bc93caaa969523f37faf6maliciousBrowse
  • 208.67.222.222
http://www.fourthtour.it/rus/tour/php.scrmaliciousBrowse
  • 208.67.222.222
wTbAYe7xt.exef655db6253fe6aef2a628204900eea12a3b766d98cc268235678ed358585f61amaliciousBrowse
  • 208.67.222.222
101.exebacef2589b5266b6d78cff09fd95c3f11052f49e55ec9a1a470fe72c4702130cmaliciousBrowse
  • 208.67.222.222
21factura (1).jsdddca2a95688eabe6052854a9ec3878966bd0a3a429e75f09d1f3cb110d192femaliciousBrowse
  • 208.67.222.222
00.exeaf16822f425108d455de94c59e9f0ba988735dd8691e571171da242751620f30maliciousBrowse
  • 208.67.222.222
Richiesta.docecd47f4204da14a45cb2bbae813c2aaa7980b92a91ba2855669d3f1be25bef12maliciousBrowse
  • 208.67.222.222
CdB_Richiesta.docec36655a1d4d6f911c33c31e3c1eb12c9ba01006fdf71fc41cfc4707430d09f5maliciousBrowse
  • 208.67.222.222
krish.class.exe72b427767ecb9ae6ecb08924a8c4dbff85b85dbe998f1b9ec310ce95927461b5maliciousBrowse
  • 208.67.222.222
Melton_Industries_Inquiry.docdfe18ec0bf9afa1b3ef345596fdd51905d01fe6b3a8b74fe961c2f0686481a0emaliciousBrowse
  • 208.67.222.222
THE_HARRION_LAW_FIRM_Request.doc1c63ca41136f1cbe7e2e541d92d6b3eb70a79374f172fbd7157da4018bfeb8d2maliciousBrowse
  • 208.67.222.222
1.exe20b4184c27c3f6ac557fbd8c3750ee6c8581d464d118353a4ce9405d104cfb5fmaliciousBrowse
  • 208.67.222.222
sample.exe75d846c690c188a3cc6a2e226fdd42af8a1351b07fb56795106285178b0a0aa7maliciousBrowse
  • 208.67.222.222
BK.485799485.jse74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7amaliciousBrowse
  • 208.67.222.222
BK.485799485.jse74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7amaliciousBrowse
  • 208.67.222.222
rt.exee1143efc15b55bd6a622b24b6712e40fb63a31e7cff920ab0859aa6b57be9ad3maliciousBrowse
  • 208.67.222.222
php.exe57b374e2d2f002c11c69b454fcf1aa57bd971cd0638eca12c6691cdb6a2f011cmaliciousBrowse
  • 208.67.222.222
fUbmcvOE5.exedcc242024a232809cd2e0ee4889bec4d3a8b30d077e131495416e3d3c65bd174maliciousBrowse
  • 208.67.222.222
myip.opendns.comBK.485799485.jse74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7amaliciousBrowse
  • 176.10.98.139
BK.485799485.jse74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7amaliciousBrowse
  • 176.10.98.139
fUbmcvOE5.exedcc242024a232809cd2e0ee4889bec4d3a8b30d077e131495416e3d3c65bd174maliciousBrowse
  • 91.134.222.250

ASN

No context

Dropped Files

No context

Screenshots