Source: download.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: download.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405745 |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004026FE FindFirstFileA, |
0_2_004026FE |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_00406280 FindFirstFileA,FindClose, |
0_2_00406280 |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: download.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: download.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: download.exe |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: download.exe |
String found in binary or memory: http://s.symcd.com06 |
Source: download.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: download.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: download.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://www.avast.com0/ |
Source: lang-1032.dll.0.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: download.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: download.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: download.exe |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: lang-1032.dll.0.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004051E2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004051E2 |
Source: download.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: lang-1032.dll.0.dr |
Static PE information: No import functions for PE file found |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004031E9 |
Source: C:\Users\user\Desktop\download.exe |
File created: C:\Windows\resources\0409 |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_00404A21 |
0_2_00404A21 |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_73B61A98 |
0_2_73B61A98 |
Source: download.exe |
Static PE information: invalid certificate |
Source: lang-1032.dll.0.dr |
Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant) |
Source: C:\Users\user\Desktop\download.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\download.exe |
File read: C:\Users\user\Desktop\download.exe |
Jump to behavior |
Source: download.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\download.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004031E9 |
Source: C:\Users\user\Desktop\download.exe |
File created: C:\Users\user\AppData\Local\Temp\nsz8D99.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal52.troj.evad.winEXE@1/5@0/0 |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar, |
0_2_004020D1 |
Source: C:\Users\user\Desktop\download.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004044AE GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
0_2_004044AE |
Source: download.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: 00000000.00000002.779236025.000000000693F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_73B62F20 push eax; ret |
0_2_73B62F4E |
Source: C:\Users\user\Desktop\download.exe |
File created: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\download.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\download.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
RDTSC instruction interceptor: First address: 0000000006DC4A92 second address: 0000000006DC4A92 instructions: 0x00000000 rdtsc 0x00000002 test edx, ecx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4174E1A261h 0x0000000c pushad 0x0000000d mov si, C771h 0x00000011 cmp si, C771h 0x00000016 jne 00007F4174E1D60Dh 0x0000001c popad 0x0000001d inc ebp 0x0000001e inc ebx 0x0000001f jmp 00007F4174E1A465h 0x00000024 nop 0x00000025 rdtsc |
Source: C:\Users\user\Desktop\download.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405745 |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004026FE FindFirstFileA, |
0_2_004026FE |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_00406280 FindFirstFileA,FindClose, |
0_2_00406280 |
Source: C:\Users\user\Desktop\download.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\download.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Users\user\Desktop\download.exe |
Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004031E9 |