Source: D009780.exe |
ReversingLabs: Detection: 21% |
Source: D009780.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\D009780.exe |
Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen |
Jump to behavior |
Source: D009780.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_004065C5 FindFirstFileW,FindClose, |
0_2_004065C5 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405990 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00402862 FindFirstFileW, |
0_2_00402862 |
Source: D009780.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00405425 |
Source: D009780.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403373 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00404C62 |
0_2_00404C62 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00406ADD |
0_2_00406ADD |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_004072B4 |
0_2_004072B4 |
Source: C:\Users\user\Desktop\D009780.exe |
Process Stats: CPU usage > 98% |
Source: D009780.exe |
ReversingLabs: Detection: 21% |
Source: C:\Users\user\Desktop\D009780.exe |
File read: C:\Users\user\Desktop\D009780.exe |
Jump to behavior |
Source: D009780.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\D009780.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403373 |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Local\Temp\nst86C1.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal52.evad.winEXE@1/6@0/0 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_004020FE CoCreateInstance, |
0_2_004020FE |
Source: C:\Users\user\Desktop\D009780.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_004046E6 |
Source: C:\Users\user\Desktop\D009780.exe |
Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen |
Jump to behavior |
Source: D009780.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_10002DE0 push eax; ret |
0_2_10002E0E |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_10001B18 |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Local\Temp\nsn8FFA.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Anhydridizes.Imi121 |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\libxml2-2.0.typelib |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\Psammologist.Pan |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\memstat.c |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\selection-end-symbolic.symbolic.png |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\D009780.exe |
RDTSC instruction interceptor: First address: 0000000002B12174 second address: 0000000002B12174 instructions: 0x00000000 rdtsc 0x00000002 test ecx, 68A7FE31h 0x00000008 cmp ebx, ecx 0x0000000a jc 00007FC9C0DD810Eh 0x0000000c test ecx, ecx 0x0000000e test al, A2h 0x00000010 inc ebp 0x00000011 cmp bl, al 0x00000013 inc ebx 0x00000014 rdtsc |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_004065C5 FindFirstFileW,FindClose, |
0_2_004065C5 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405990 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00402862 FindFirstFileW, |
0_2_00402862 |
Source: C:\Users\user\Desktop\D009780.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\D009780.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_10001B18 |
Source: C:\Users\user\Desktop\D009780.exe |
Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403373 |