Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67746
Start time:12:18:25
Joe Sandbox Product:CloudBasic
Start date:12.07.2018
Overall analysis duration:0h 5m 30s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:5dxgnP9nu9p (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.troj.winEXE@4/437@70/33
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 79
  • Number of non-executed functions: 55
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 82.7%)
  • Quality average: 65.4%
  • Quality standard deviation: 36.4%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, dllhost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Program Files\Common Files\microsoft shared\Help\1040\Kazaa Lite.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Harry Potter.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\EURO\Harry Potter.exeAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Help\1041\ICQ 4 Lite.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Help\1028\index.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\1033\Winamp 5.0 (en).comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Help\1046\Winamp 5.0 (en) Crack.exeAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Help\1042\Winamp 5.0 (en).ShareReactor.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\DAO\WinRAR.v.3.2.and.key.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\1033\Winamp 5.0 (en).comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Help\1036\WinRAR.v.3.2.and.key.ShareReactor.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\Winamp 5.0 (en) Crack.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\DW\ICQ 4 Lite.ShareReactor.comAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exeAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\Filters\WinRAR.v.3.2.and.key.exeAvira: Label: WORM/Mydoom.L.1
Source: C:\Program Files\Common Files\microsoft shared\DAO\WinRAR.v.3.2.and.key.comAvira: Label: WORM/Mydoom.L.1
Antivirus detection for submitted fileShow sources
Source: 5dxgnP9nu9p.exeAvira: Label: WORM/Mydoom.L.1
Antivirus detection for unpacked fileShow sources
Source: 2.1.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.1.5dxgnP9nu9p.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 2.2.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 2.0.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.0.5dxgnP9nu9p.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.2.5dxgnP9nu9p.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 3.2.WerFault.exe.120000.1.unpackAvira: Label: TR/Agent.Blkhl.dam

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49163 -> 16.91.193.214:1042
Source: global trafficTCP traffic: 192.168.2.2:49165 -> 65.128.92.41:1042
Source: global trafficTCP traffic: 192.168.2.2:49166 -> 15.236.162.112:1042
Source: global trafficTCP traffic: 192.168.2.2:49168 -> 16.83.200.130:1042
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: northcoast.com northcoast.com
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: atwola.com replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: mx.unicode.org replaycode: Name error (3)
Source: unknownDNS traffic detected: query: bryson.demon.co.uk replaycode: Name error (3)
Source: unknownDNS traffic detected: query: bryson.demon.co.uk replaycode: Name error (3)
Source: unknownDNS traffic detected: query: src.dec.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: src.dec.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mail.unicode.org replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smtp.unicode.org replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx.theriver.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx.cl.cam.ac.uk replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx2-lw-us.apache.org replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx.onlineconnections.com.au replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx2-lw-eu.apache.org replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smtp.onlineconnections.com.au replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smtp.cl.cam.ac.uk replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx.northcoast.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mail.northcoast.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smtp.northcoast.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: mx.pobox.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: resources.jar replaycode: Name error (3)
Source: unknownDNS traffic detected: query: resources.jar replaycode: Name error (3)
Source: unknownDNS traffic detected: query: resources.jar replaycode: Name error (3)
Connects to many different domainsShow sources
Source: unknownNetwork traffic detected: DNS query count 47
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 64.147.108.54 64.147.108.54
Source: Joe Sandbox ViewIP Address: 64.147.108.55 64.147.108.55
Source: Joe Sandbox ViewIP Address: 64.147.108.70 64.147.108.70
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: HP-INTERNET-AS-Hewlett-PackardCompanyUS HP-INTERNET-AS-Hewlett-PackardCompanyUS
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00807983 Sleep,socket,connect,recv,htons,htons,htons,send,htons,recv,closesocket,1_2_00807983
Found strings which match to known social media urlsShow sources
Source: 5dxgnP9nu9p.exe, lsass.exeString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Source: 5dxgnP9nu9p.exe, lsass.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: atwola.com
Urls found in memory or binary dataShow sources
Source: lsass.exe, 00000002.00000002.21575786650.0011D000.00000004.sdmpString found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBzvcT4.img
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBzvrQO.img
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: http://pixel.advertising.com/ups/18540/sync?uid=5988483B6E651A455A83B197FC7EC999&redir=true&_origin=
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-de/nachrichten/bildergalerien/verbotene-orte-zutritt-streng-verboten/ss-BBrEFA
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-de/reisen/reisetipps/retro-charme-28-malerische-d%C3%B6rfer-die-sie-besuchen-s
Source: lsass.exe, 00000002.00000002.21575786650.0011D000.00000004.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://download-sha1.allizom.org/?product=firefox-stub&os=win&lang=en-US
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-54.0.1-SSL&os=linux&lang=en-US
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-54.0.1-SSL&os=linux64&lang=en-US
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-54.0.1-SSL&os=osx&lang=en-US
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-54.0.1-SSL&os=win64&lang=en-US
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://itunes.apple.com/us/app/apple-store/id989804926?pt=373246&mt=8
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://itunes.apple.com/us/app/apple-store/id989804926?pt=373246&mt=8&ct=mozorg-fxnew_page_
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=cn.mozilla.firefox&referrer=utm_source%3Dmozilla%2
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195335338.0011E000.00000004.sdmpString found in binary or memory: https://support.mozilla.org/kb/update-firefox-latest-version

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TraybarJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TraybarJump to behavior
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TraybarJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,1_2_00807D81
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_1_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,1_1_00807D81
Source: C:\Windows\lsass.exeCode function: 2_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,2_2_00807D81
Source: C:\Windows\lsass.exeCode function: 2_1_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,2_1_00807D81

Stealing of Sensitive Information:

barindex
Contains functionality to search for IE or Outlook window (often done to steal information)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,1_2_00802C72
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_1_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,1_1_00802C72
Source: C:\Windows\lsass.exeCode function: 2_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,2_2_00802C72
Source: C:\Windows\lsass.exeCode function: 2_1_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,2_1_00802C72
Searches for user specific document filesShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extensionShow sources
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLUECALM\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1036\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RADIAL\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\1.0\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\NETWORK\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\COMPASS\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SUMIPNTG\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RMNSQUE\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\DAO\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Folders\1033\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\LEVEL\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1033\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLENDS\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\WATERMAR\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BREEZE\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\60.0.3112.90\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ARCTIC\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\DEEPBLUE\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1040\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EQUATION\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1042\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RICEPAPR\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Stationery\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Folders\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1041\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VGX\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Portal\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\1033\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Google\Update\Download\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1028\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\numbers\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1049\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\DW\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1031\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\WATER\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Triedit\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EQUATION\1033\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VBA\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RIPPLE\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TextConv\WksConv\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Full\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLUEPRNT\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Portal\1033\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\3082\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\index.ShareReactor.comJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\lsass.exe
Drops PE filesShow sources
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VC\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\PAPYRUS\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\AFTRNOON\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CASCADE\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1036\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6FA0.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\NETWORK\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\COMPASS\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RMNSQUE\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\DAO\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\PROFILE\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1033\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\WATERMAR\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\PROOF\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BREEZE\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\60.0.3112.90\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\EXPEDITN\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLUECALM\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\FRAR\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RADIAL\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\1.0\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SUMIPNTG\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp567E.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Folders\1033\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\LEVEL\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTA\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLENDS\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Filters\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1046\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EURO\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\QUAD\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ARCTIC\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\DEEPBLUE\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\INDUST\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1040\Kazaa Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\JOURNAL\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp7441.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EQUATION\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1042\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Stationery\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1041\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SATIN\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Portal\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Google\Update\Download\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp7010.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTO\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1049\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\DW\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Winamp 5.0 (en).ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\WATER\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\WinRAR.v.3.2.and.key.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Triedit\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SPRING\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VBA\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RIPPLE\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\3082\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\SingleImage\Harry Potter.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\LAYERS\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile created: C:\Windows\lsass.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6FB5.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSEnv\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\RICEPAPR\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Web Folders\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VBA\VBA6\Kazaa Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\Harry Potter.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\web\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmpA068.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ECLIPSE\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VGX\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TextConv\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\WinRAR.v.3.2.and.key.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\1033\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\ICQ 4 Lite.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1028\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmpEC26.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\numbers\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1031\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\EVRGREEN\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EQUATION\1033\Winamp 5.0 (en).comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp5673.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6ED7.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TextConv\WksConv\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Winamp 5.0 (en) Crack.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6ECC.tmpJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ICQ 4 Lite.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Full\index.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\index.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLUEPRNT\Harry Potter.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ICQ 4 Lite.ShareReactor.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\Winamp 5.0 (en).exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Portal\1033\index.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\WinRAR.v.3.2.and.key.comJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en) Crack.exeJump to dropped file
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\VBA\VBA7\1033\WinRAR.v.3.2.and.key.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile created: C:\Windows\lsass.exeJump to dropped file

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00803A5C GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetNetworkParams,htons,inet_addr,gethostbyname,GetProcessHeap,HeapFree,1_2_00803A5C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00807EE0 push eax; ret 1_2_00807F0E
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_1_00807EE0 push eax; ret 1_1_00807F0E
Source: C:\Windows\lsass.exeCode function: 2_2_00807EE0 push eax; ret 2_2_00807F0E
Source: C:\Windows\lsass.exeCode function: 2_1_00807EE0 push eax; ret 2_1_00807F0E
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_2_00804D32
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_1_00804D32
Source: C:\Windows\lsass.exeCode function: 2_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_2_00804D32
Source: C:\Windows\lsass.exeCode function: 2_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_1_00804D32

System Summary:

barindex
Creates files with lurking names (e.g. Crack.exe)Show sources
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EQUATION\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\EQUATION\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1046\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1046\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1049\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\1049\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\1.0\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\1.0\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSEnv\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSEnv\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\JOURNAL\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\JOURNAL\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\PROFILE\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\PROFILE\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Winamp 5.0 (en) Crack.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\Winamp 5.0 (en) Crack.ShareReactor.com\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeFile created: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Winamp 5.0 (en) Crack.exe\:Zone.Identifier:$DATAJump to behavior
Drops files with a known system name (to hide its detection)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile created: C:\Windows\lsass.exeJump to behavior
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile created: C:\Windows\lsass.exeJump to behavior
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile created: C:\Windows\lsass.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3372
Source: C:\Windows\lsass.exeMutant created: \Sessions\1\BaseNamedObjects\
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile deleted: C:\Windows\lsass.exeJump to behavior
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3372 -s 700
PE file contains strange resourcesShow sources
Source: 5dxgnP9nu9p.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lsass.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tmp5673.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tmp567E.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\lsass.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 5dxgnP9nu9p.exe, 00000001.00000002.21195569019.002EE000.00000004.sdmpBinary or memory string: OriginalFilenameWerFault.exej% vs 5dxgnP9nu9p.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile read: C:\Users\user\Desktop\5dxgnP9nu9p.exeJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: 5dxgnP9nu9p.exeStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Source: lsass.exe.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Source: tmp5673.tmp.2.drStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Source: tmp567E.tmp.2.drStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.troj.winEXE@4/437@70/33
Creates files inside the program directoryShow sources
Source: C:\Windows\lsass.exeFile created: C:\Program Files\Common Files\microsoft shared\Harry Potter.comJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\WerFault.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_5dxgnP9nu9p.exe_d74869e6a53d9f224daf109351d9ef7b5b1433d4_0df246e3Jump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\cylhgxl.txtJump to behavior
Reads ini filesShow sources
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\win.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\5dxgnP9nu9p.exe 'C:\Users\user\Desktop\5dxgnP9nu9p.exe'
Source: unknownProcess created: C:\Windows\lsass.exe 'C:\Windows\lsass.exe'
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3372 -s 700
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3372 -s 700Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WerFault.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713aacc8-3b71-435c-a3a1-be4e53621ab1}\InProcServer32Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\DAO\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\DW\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\EQUATION\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\EQUATION\1033\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\EURO\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Filters\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\GRPHFLT\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\Harry Potter.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1028\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1031\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1033\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1036\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1040\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1041\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1042\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1046\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\1049\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\2052\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Help\3082\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\1.0\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\1.7\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\numbers\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\web\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-CS\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSEnv\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSEnv\PublicAssemblies\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\1033\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\Harry Potter.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\SingleImage\Harry Potter.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Portal\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Portal\1033\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\PROOF\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Smart Tag\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Smart Tag\1033\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Smart Tag\LISTS\1033\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\WksConv\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\AFTRNOON\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\ARCTIC\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\AXIS\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLENDS\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLUECALM\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\BLUEPRNT\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\BOLDSTRI\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\BREEZE\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\CANYON\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\CAPSULES\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\CASCADE\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\COMPASS\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\CONCRETE\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\DEEPBLUE\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\ECHO\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\ECLIPSE\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\EDGE\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\EVRGREEN\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\EXPEDITN\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\ICE\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\INDUST\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\IRIS\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\JOURNAL\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\LAYERS\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\LEVEL\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\NETWORK\Harry Potter.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\PAPYRUS\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\PIXEL\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\PROFILE\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\QUAD\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\RADIAL\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\REFINED\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\RICEPAPR\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\RIPPLE\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\RMNSQUE\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\SATIN\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\SKY\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\SLATE\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\SONORA\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\SPRING\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\STRTEDGE\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\STUDIO\Winamp 5.0 (en) Crack.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\SUMIPNTG\Harry Potter.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\WATER\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\THEMES14\WATERMAR\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ARFR\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENES\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ENFR\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\ESEN\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\FRAR\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TRANSLAT\FREN\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VBA\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VBA\VBA6\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VBA\VBA7\Harry Potter.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VBA\VBA7\1033\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VC\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VGX\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\Kazaa Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\WinRAR.v.3.2.and.key.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Web Folders\Kazaa Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Web Folders\1033\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\ICQ 4 Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\Winamp 5.0 (en) Crack.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Full\index.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\index.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Harry Potter.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\ICQ 4 Lite.ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Winamp 5.0 (en).comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\ICQ 4 Lite.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\WinRAR.v.3.2.and.key.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\index.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Winamp 5.0 (en) Crack.exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Winamp 5.0 (en).ShareReactor.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Winamp 5.0 (en).exeJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\WinRAR.v.3.2.and.key.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Google\Update\Download\Harry Potter.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\Kazaa Lite.comJump to behavior
Source: C:\Windows\lsass.exeDirectory created: C:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\60.0.3112.90\Kazaa Lite.ShareReactor.comJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: kernel32C:\Windows\system32\kernel32.dllC:\Windows\system32\kernel32.dllRSDSkernel32.pdb source: WerFault.exe, 00000003.00000002.21187294413.00185000.00000004.sdmp
Source: Binary string: Pkernel32.pdb source: WerFault.exe, 00000003.00000003.21177617375.00A71000.00000004.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000003.00000003.21178787718.00ADA000.00000004.sdmp
Source: Binary string: kernel32.pdb( source: WerFault.exe, 00000003.00000003.21177457121.01B32000.00000004.sdmp
Source: Binary string: ntdll.pdb( source: WerFault.exe, 00000003.00000002.21191219505.01B37000.00000004.sdmp
Source: Binary string: KiUserCallbackDispatcherRSDSntdll.pdb source: WerFault.exe, 00000003.00000002.21187294413.00185000.00000004.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000003.00000002.21191219505.01B37000.00000004.sdmp

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: lsass.exe, 00000002.00000002.21576787325.00810000.00000002.sdmpBinary or memory string: Progman
Source: lsass.exe, 00000002.00000002.21576787325.00810000.00000002.sdmpBinary or memory string: Program Manager
Source: lsass.exe, 00000002.00000002.21576787325.00810000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WerFault.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeProcess queried: DebugPortJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00803A5C GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetNetworkParams,htons,inet_addr,gethostbyname,GetProcessHeap,HeapFree,1_2_00803A5C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00803A5C GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetNetworkParams,htons,inet_addr,gethostbyname,GetProcessHeap,HeapFree,1_2_00803A5C
Enables debug privilegesShow sources
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-2177
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_2-2177
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-2195
Found stalling execution ending in API Sleep callShow sources
Source: C:\Windows\lsass.exeStalling execution: Execution stalls by calling Sleepgraph_2-2100
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeStalling execution: Execution stalls by calling Sleepgraph_1-2081
Enumerates the file systemShow sources
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Jump to behavior
Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\lsass.exeWindow / User API: threadDelayed 507Jump to behavior
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-2811
Source: C:\Windows\lsass.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-2861
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp567E.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6FA0.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmpA068.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp5673.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp7441.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6ED7.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp7010.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6ECC.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmp6FB5.tmpJump to dropped file
Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\tmpEC26.tmpJump to dropped file
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exe TID: 3376Thread sleep time: -95000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exe TID: 3376Thread sleep count: 38 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 34 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 120 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 36 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 70 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 129 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 507 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3452Thread sleep count: 37 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 3644Thread sleep count: 56 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeLast function: Thread delayed
Source: C:\Windows\lsass.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h1_2_00805247
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_1_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h1_1_00805247
Source: C:\Windows\lsass.exeCode function: 2_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h2_2_00805247
Source: C:\Windows\lsass.exeCode function: 2_1_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h2_1_00805247
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_2_00804D32
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_1_00804D32
Source: C:\Windows\lsass.exeCode function: 2_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_2_00804D32
Source: C:\Windows\lsass.exeCode function: 2_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_1_00804D32
Program exit pointsShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeAPI call chain: ExitProcess graph end nodegraph_1-2146
Source: C:\Windows\lsass.exeAPI call chain: ExitProcess graph end nodegraph_2-2163
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates PE files with a name equal or similiar to existing files in WindowsShow sources
Source: C:\Windows\lsass.exeFile created: Name: lsass.exe in C:\Users\user\Desktop\5dxgnP9nu9p.exeJump to dropped file
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,1_2_00802DB3
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\5dxgnP9nu9p.exeCode function: 1_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,1_2_00802DB3
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WerFault.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 67746 Sample: 5dxgnP9nu9p Startdate: 12/07/2018 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus detection for submitted file 2->44 46 Domain name seen in connection with other malware 2->46 48 4 other signatures 2->48 6 lsass.exe