Windows Analysis Report
SzznpUhIjo.exe

Overview

General Information

Sample Name: SzznpUhIjo.exe
Original Sample Name: f62fe8447c5e9b9ea5ac424543ad20b3.exe
Analysis ID: 829685
MD5: f62fe8447c5e9b9ea5ac424543ad20b3
SHA1: 847f52f9fff9b080e44de6738b61141b289cd09c
SHA256: d7f0a894956299f235cc735af3469746f223b3394abc85660e89872503e55982
Tags: exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score: 93
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection

barindex
Source: SzznpUhIjo.exe ReversingLabs: Detection: 43%
Source: SzznpUhIjo.exe Virustotal: Detection: 49% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe Virustotal: Detection: 79% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Virustotal: Detection: 65% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe Virustotal: Detection: 79% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe ReversingLabs: Detection: 66%
Source: SzznpUhIjo.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe Joe Sandbox ML: detected
Source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}
Source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpack Malware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00402F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 1_2_008E2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E52F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 2_2_00E52F1D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 3_2_010D2F1D

Compliance

barindex
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Unpacked PE file: 9.2.con1165.exe.400000.0.unpack
Source: SzznpUhIjo.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SzznpUhIjo.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source: Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr
Source: Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source: Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr
Source: Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
Source: Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe
Source: Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00402390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_008E2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00E52390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 3_2_010D2390

Networking

barindex
Source: Malware configuration extractor URLs: 31.41.244.200/games/category/index.php
Source: Malware configuration extractor URLs: 193.233.20.30:4125
Source: kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, en239906.exe.1.dr String found in binary or memory: https://api.ip.sb/ip
Source: con1165.exe, 00000009.00000002.316630593.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: SzznpUhIjo.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00401F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_008E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00E51F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 3_2_010D1F90
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00403BA2 0_2_00403BA2
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00405C9E 0_2_00405C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E3BA2 1_2_008E3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E5C9E 1_2_008E5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E53BA2 2_2_00E53BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E55C9E 2_2_00E55C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D3BA2 3_2_010D3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D5C9E 3_2_010D5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00408C60 9_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0040DC11 9_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00407C3F 9_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00418CCC 9_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00406CA0 9_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004028B0 9_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0041A4BE 9_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00418244 9_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00401650 9_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00402F20 9_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004193C4 9_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00418788 9_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00402F89 9_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00402B90 9_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004073A0 9_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA2B17 9_2_02DA2B17
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA18B7 9_2_02DA18B7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA786D 9_2_02DA786D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA31F0 9_2_02DA31F0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DB89EF 9_2_02DB89EF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA3187 9_2_02DA3187
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA8EC7 9_2_02DA8EC7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA7EA6 9_2_02DA7EA6
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DADE78 9_2_02DADE78
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA77D9 9_2_02DA77D9
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA6F07 9_2_02DA6F07
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DB8F33 9_2_02DB8F33
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DBA725 9_2_02DBA725
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DB84AB 9_2_02DB84AB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA2DF7 9_2_02DA2DF7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: String function: 02DAE43F appears 44 times
Source: kino5628.exe.0.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 724274 bytes, 2 files, at 0x2c +A "kino6423.exe" +A "en239906.exe", ID 1904, number 1, 28 datablocks, 0x1503 compression
Source: kino6423.exe.1.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 578750 bytes, 2 files, at 0x2c +A "kino4801.exe" +A "dNT35s70.exe", ID 1958, number 1, 25 datablocks, 0x1503 compression
Source: kino4801.exe.2.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205326 bytes, 2 files, at 0x2c +A "bus7600.exe" +A "con1165.exe", ID 1796, number 1, 11 datablocks, 0x1503 compression
Source: kino4801.exe.2.dr Static PE information: Resource name: RT_RCDATA type: 370 sysV pure executable not stripped
Source: SzznpUhIjo.exe Binary or memory string: OriginalFilename vs SzznpUhIjo.exe
Source: SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SzznpUhIjo.exe
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
Source: SzznpUhIjo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dNT35s70.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: con1165.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SzznpUhIjo.exe ReversingLabs: Detection: 43%
Source: SzznpUhIjo.exe Virustotal: Detection: 49%
Source: SzznpUhIjo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SzznpUhIjo.exe C:\Users\user\Desktop\SzznpUhIjo.exe
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Jump to behavior
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00401F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_008E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00E51F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 3_2_010D1F90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus7600.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SzznpUhIjo.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal93.troj.spyw.evad.winEXE@15/10@0/0
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_0040597D
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_0040597D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Code function: 4_2_00007FFBACD21B10 ChangeServiceConfigA, 4_2_00007FFBACD21B10
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_068807C6 CreateToolhelp32Snapshot,Module32First, 0_2_068807C6
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, 0_2_00404FE0
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Command line argument: Kernel32.dll 0_2_00402BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Command line argument: Kernel32.dll 1_2_008E2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Command line argument: Kernel32.dll 2_2_00E52BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Command line argument: Kernel32.dll 3_2_010D2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Command line argument: 08A 9_2_00413780
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SzznpUhIjo.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\SzznpUhIjo.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: SzznpUhIjo.exe Static file information: File size 1238528 > 1048576
Source: SzznpUhIjo.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x109200
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SzznpUhIjo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source: Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr
Source: Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source: Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr
Source: Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
Source: Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe
Source: Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Unpacked PE file: 9.2.con1165.exe.400000.0.unpack
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Unpacked PE file: 9.2.con1165.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_0040724D push ecx; ret 0_2_00407260
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_06881E94 pushad ; retf 0_2_06881E95
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_068838D3 push cs; ret 0_2_068838D4
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_06881F0B push FFFFFF8Bh; ret 0_2_06881F0D
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_06885624 pushfd ; ret 0_2_06885625
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E724D push ecx; ret 1_2_008E7260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E5724D push ecx; ret 2_2_00E57260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D724D push ecx; ret 3_2_010D7260
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0041C40C push cs; iretd 9_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00423149 push eax; ret 9_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0041C50E push cs; iretd 9_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004231C8 push eax; ret 9_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0040E21D push ecx; ret 9_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0041C6BE push ebx; ret 9_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DBC125 push ebx; ret 9_2_02DBC126
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DBBE73 push cs; iretd 9_2_02DBBF49
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DBBF75 push cs; iretd 9_2_02DBBF49
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DAE484 push ecx; ret 9_2_02DAE497
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00402F1D
Source: en239906.exe.1.dr Static PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.985785026742163
Source: initial sample Static PE information: section name: .text entropy: 7.769697619291595
Source: initial sample Static PE information: section name: .text entropy: 7.747055941352255
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00401AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00401AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 1_2_008E1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E51AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 2_2_00E51AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 3_2_010D1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe TID: 484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe TID: 2356 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 9_2_004019F0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00405467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00405467
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00402390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_008E2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00E52390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 3_2_010D2390
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 9_2_004019F0
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00402F1D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree, 9_2_0040ADB0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_068800A3 push dword ptr fs:[00000030h] 0_2_068800A3
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA092B mov eax, dword ptr fs:[00000030h] 9_2_02DA092B
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DA0D90 mov eax, dword ptr fs:[00000030h] 9_2_02DA0D90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00406F40 SetUnhandledExceptionFilter, 0_2_00406F40
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00406CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00406CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E6F40 SetUnhandledExceptionFilter, 1_2_008E6F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe Code function: 1_2_008E6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_008E6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E56F40 SetUnhandledExceptionFilter, 2_2_00E56F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe Code function: 2_2_00E56CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00E56CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D6F40 SetUnhandledExceptionFilter, 3_2_010D6F40
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe Code function: 3_2_010D6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_010D6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_004123F1 SetUnhandledExceptionFilter, 9_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DAE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_02DAE883
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DAD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_02DAD070
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DB71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_02DB71D1
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: 9_2_02DB2658 SetUnhandledExceptionFilter, 9_2_02DB2658
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_004017EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, 0_2_004017EE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: GetLocaleInfoA, 9_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Code function: GetLocaleInfoA, 9_2_02DB7C87
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00407155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00407155
Source: C:\Users\user\Desktop\SzznpUhIjo.exe Code function: 0_2_00402BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00402BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Code function: 4_2_00007FFBACD2077D GetUserNameA, 4_2_00007FFBACD2077D

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED
Source: Yara match File source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SzznpUhIjo.exe.6f54a20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe, type: DROPPED

Remote Access Functionality

barindex
Source: Yara match File source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED
No contacted IP infos