Source: SzznpUhIjo.exe |
ReversingLabs: Detection: 43% |
Source: SzznpUhIjo.exe |
Virustotal: Detection: 49% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Avira: detection malicious, Label: HEUR/AGEN.1252166 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe |
Avira: detection malicious, Label: HEUR/AGEN.1252166 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe |
ReversingLabs: Detection: 63% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe |
Virustotal: Detection: 79% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
ReversingLabs: Detection: 68% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Virustotal: Detection: 65% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe |
ReversingLabs: Detection: 87% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe |
Virustotal: Detection: 79% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
ReversingLabs: Detection: 64% |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe |
ReversingLabs: Detection: 43% |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
ReversingLabs: Detection: 59% |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
ReversingLabs: Detection: 88% |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
ReversingLabs: Detection: 66% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe |
Joe Sandbox ML: detected |
Source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"} |
Source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpack |
Malware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"} |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
0_2_00402F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
1_2_008E2F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E52F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
2_2_00E52F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
3_2_010D2F1D |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Unpacked PE file: 9.2.con1165.exe.400000.0.unpack |
Source: SzznpUhIjo.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr |
Source: |
Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr |
Source: |
Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr |
Source: |
Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr |
Source: |
Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr |
Source: |
Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr |
Source: |
Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr |
Source: |
Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe |
Source: |
Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00402390 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
1_2_008E2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
2_2_00E52390 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
3_2_010D2390 |
Source: Malware configuration extractor |
URLs: 31.41.244.200/games/category/index.php |
Source: Malware configuration extractor |
URLs: 193.233.20.30:4125 |
Source: kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, en239906.exe.1.dr |
String found in binary or memory: https://api.ip.sb/ip |
Source: con1165.exe, 00000009.00000002.316630593.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: SzznpUhIjo.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
0_2_00401F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
1_2_008E1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
2_2_00E51F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
3_2_010D1F90 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00403BA2 |
0_2_00403BA2 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00405C9E |
0_2_00405C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E3BA2 |
1_2_008E3BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E5C9E |
1_2_008E5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E53BA2 |
2_2_00E53BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E55C9E |
2_2_00E55C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D3BA2 |
3_2_010D3BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D5C9E |
3_2_010D5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00408C60 |
9_2_00408C60 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0040DC11 |
9_2_0040DC11 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00407C3F |
9_2_00407C3F |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00418CCC |
9_2_00418CCC |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00406CA0 |
9_2_00406CA0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004028B0 |
9_2_004028B0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0041A4BE |
9_2_0041A4BE |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00418244 |
9_2_00418244 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00401650 |
9_2_00401650 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00402F20 |
9_2_00402F20 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004193C4 |
9_2_004193C4 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00418788 |
9_2_00418788 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00402F89 |
9_2_00402F89 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00402B90 |
9_2_00402B90 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004073A0 |
9_2_004073A0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA2B17 |
9_2_02DA2B17 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA18B7 |
9_2_02DA18B7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA786D |
9_2_02DA786D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA31F0 |
9_2_02DA31F0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DB89EF |
9_2_02DB89EF |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA3187 |
9_2_02DA3187 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA8EC7 |
9_2_02DA8EC7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA7EA6 |
9_2_02DA7EA6 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DADE78 |
9_2_02DADE78 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA77D9 |
9_2_02DA77D9 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA6F07 |
9_2_02DA6F07 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DB8F33 |
9_2_02DB8F33 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DBA725 |
9_2_02DBA725 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DB84AB |
9_2_02DB84AB |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA2DF7 |
9_2_02DA2DF7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: String function: 0040E1D8 appears 44 times |
|
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: String function: 02DAE43F appears 44 times |
|
Source: kino5628.exe.0.dr |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 724274 bytes, 2 files, at 0x2c +A "kino6423.exe" +A "en239906.exe", ID 1904, number 1, 28 datablocks, 0x1503 compression |
Source: kino6423.exe.1.dr |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 578750 bytes, 2 files, at 0x2c +A "kino4801.exe" +A "dNT35s70.exe", ID 1958, number 1, 25 datablocks, 0x1503 compression |
Source: kino4801.exe.2.dr |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205326 bytes, 2 files, at 0x2c +A "bus7600.exe" +A "con1165.exe", ID 1796, number 1, 11 datablocks, 0x1503 compression |
Source: kino4801.exe.2.dr |
Static PE information: Resource name: RT_RCDATA type: 370 sysV pure executable not stripped |
Source: SzznpUhIjo.exe |
Binary or memory string: OriginalFilename vs SzznpUhIjo.exe |
Source: SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SzznpUhIjo.exe |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB |
Source: SzznpUhIjo.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: dNT35s70.exe.2.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: con1165.exe.3.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: SzznpUhIjo.exe |
ReversingLabs: Detection: 43% |
Source: SzznpUhIjo.exe |
Virustotal: Detection: 49% |
Source: SzznpUhIjo.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\SzznpUhIjo.exe C:\Users\user\Desktop\SzznpUhIjo.exe |
|
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
|
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
|
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
|
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ |
|
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ |
|
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
0_2_00401F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
1_2_008E1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
2_2_00E51F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
3_2_010D1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus7600.exe.log |
Jump to behavior |
Source: classification engine |
Classification label: mal93.troj.spyw.evad.winEXE@15/10@0/0 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
0_2_0040597D |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
0_2_0040597D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_068807C6 CreateToolhelp32Snapshot,Module32First, |
0_2_068807C6 |
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, |
0_2_00404FE0 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Command line argument: Kernel32.dll |
0_2_00402BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Command line argument: Kernel32.dll |
1_2_008E2BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Command line argument: Kernel32.dll |
2_2_00E52BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Command line argument: Kernel32.dll |
3_2_010D2BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Command line argument: 08A |
9_2_00413780 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Automated click: OK |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Automated click: OK |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: SzznpUhIjo.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SzznpUhIjo.exe |
Static file information: File size 1238528 > 1048576 |
Source: SzznpUhIjo.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x109200 |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: SzznpUhIjo.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr |
Source: |
Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr |
Source: |
Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr |
Source: |
Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr |
Source: |
Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr |
Source: |
Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr |
Source: |
Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr |
Source: |
Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe |
Source: |
Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Unpacked PE file: 9.2.con1165.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R; |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Unpacked PE file: 9.2.con1165.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R; |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_0040724D push ecx; ret |
0_2_00407260 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_06881E94 pushad ; retf |
0_2_06881E95 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_068838D3 push cs; ret |
0_2_068838D4 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_06881F0B push FFFFFF8Bh; ret |
0_2_06881F0D |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_06885624 pushfd ; ret |
0_2_06885625 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E724D push ecx; ret |
1_2_008E7260 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E5724D push ecx; ret |
2_2_00E57260 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D724D push ecx; ret |
3_2_010D7260 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0041C40C push cs; iretd |
9_2_0041C4E2 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00423149 push eax; ret |
9_2_00423179 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0041C50E push cs; iretd |
9_2_0041C4E2 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004231C8 push eax; ret |
9_2_00423179 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0040E21D push ecx; ret |
9_2_0040E230 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0041C6BE push ebx; ret |
9_2_0041C6BF |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DBC125 push ebx; ret |
9_2_02DBC126 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DBBE73 push cs; iretd |
9_2_02DBBF49 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DBBF75 push cs; iretd |
9_2_02DBBF49 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DAE484 push ecx; ret |
9_2_02DAE497 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
0_2_00402F1D |
Source: en239906.exe.1.dr |
Static PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UTC] |
Source: initial sample |
Static PE information: section name: .text entropy: 7.985785026742163 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.769697619291595 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.747055941352255 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00401AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
0_2_00401AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
1_2_008E1AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E51AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
2_2_00E51AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
3_2_010D1AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe TID: 484 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe TID: 2356 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
9_2_004019F0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00405467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, |
0_2_00405467 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00402390 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
1_2_008E2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
2_2_00E52390 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
3_2_010D2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
9_2_0040CE09 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
9_2_004019F0 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
0_2_00402F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree, |
9_2_0040ADB0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_068800A3 push dword ptr fs:[00000030h] |
0_2_068800A3 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA092B mov eax, dword ptr fs:[00000030h] |
9_2_02DA092B |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DA0D90 mov eax, dword ptr fs:[00000030h] |
9_2_02DA0D90 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00406F40 SetUnhandledExceptionFilter, |
0_2_00406F40 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00406CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00406CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E6F40 SetUnhandledExceptionFilter, |
1_2_008E6F40 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe |
Code function: 1_2_008E6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_008E6CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E56F40 SetUnhandledExceptionFilter, |
2_2_00E56F40 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe |
Code function: 2_2_00E56CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00E56CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D6F40 SetUnhandledExceptionFilter, |
3_2_010D6F40 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe |
Code function: 3_2_010D6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_010D6CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
9_2_0040CE09 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
9_2_0040E61C |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
9_2_00416F6A |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_004123F1 SetUnhandledExceptionFilter, |
9_2_004123F1 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DAE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
9_2_02DAE883 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DAD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
9_2_02DAD070 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DB71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
9_2_02DB71D1 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: 9_2_02DB2658 SetUnhandledExceptionFilter, |
9_2_02DB2658 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_004017EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, |
0_2_004017EE |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: GetLocaleInfoA, |
9_2_00417A20 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Code function: GetLocaleInfoA, |
9_2_02DB7C87 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00407155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00407155 |
Source: C:\Users\user\Desktop\SzznpUhIjo.exe |
Code function: 0_2_00402BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, |
0_2_00402BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe |
Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 |
Jump to behavior |
Source: Yara match |
File source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED |
Source: Yara match |
File source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.SzznpUhIjo.exe.6f54a20.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe, type: DROPPED |
Source: Yara match |
File source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED |