Source: SC.028UCCP.exe |
ReversingLabs: Detection: 33% |
Source: SC.028UCCP.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405475 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405E9C FindFirstFileA,FindClose, |
0_2_00405E9C |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_0040264F FindFirstFileA, |
0_2_0040264F |
Source: SC.028UCCP.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: SC.028UCCP.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: SC.028UCCP.exe |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: SC.028UCCP.exe |
String found in binary or memory: http://s.symcd.com06 |
Source: SC.028UCCP.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: SC.028UCCP.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: SC.028UCCP.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: SC.028UCCP.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: SC.028UCCP.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: SC.028UCCP.exe |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00404FE3 |
Source: SC.028UCCP.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
0_2_0040310B |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00404822 |
0_2_00404822 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_004062C3 |
0_2_004062C3 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00406A9A |
0_2_00406A9A |
Source: SC.028UCCP.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Process Stats: CPU usage > 98% |
Source: SC.028UCCP.exe |
ReversingLabs: Detection: 33% |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
File read: C:\Users\user\Desktop\SC.028UCCP.exe |
Jump to behavior |
Source: SC.028UCCP.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
File created: C:\Users\user\Documents\Snarer.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
File created: C:\Users\user\AppData\Local\Temp\nstD527.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/4@0/0 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, |
0_2_00402036 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
0_2_004042E6 |
Source: Yara match |
File source: 00000000.00000002.782394015.000000000400D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.782394015.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam, type: DROPPED |
Source: Yara match |
File source: 00000000.00000002.782049027.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_10002CE0 push eax; ret |
0_2_10002D0E |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress, |
0_2_00405EC3 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
File created: C:\Users\user\AppData\Local\Temp\nsuD883.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
RDTSC instruction interceptor: First address: 00000000041F6C3D second address: 00000000041F6C3D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB3B0BEAC3Fh 0x00000006 cmp esi, F36905EDh 0x0000000c test edx, ebx 0x0000000e inc ebp 0x0000000f test bl, cl 0x00000011 inc ebx 0x00000012 pushad 0x00000013 mov di, 3123h 0x00000017 cmp di, 3123h 0x0000001c jne 00007FB3B0BEDC0Ah 0x00000022 popad 0x00000023 rdtsc |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405475 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405E9C FindFirstFileA,FindClose, |
0_2_00405E9C |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_0040264F FindFirstFileA, |
0_2_0040264F |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress, |
0_2_00405EC3 |
Source: C:\Users\user\Desktop\SC.028UCCP.exe |
Code function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, |
0_2_00405BBA |