Source: aeICl0Aabv.exe |
ReversingLabs: Detection: 61% |
Source: aeICl0Aabv.exe |
Virustotal: Detection: 57% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Avira: detection malicious, Label: HEUR/AGEN.1252166 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe |
Avira: detection malicious, Label: HEUR/AGEN.1252166 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe |
ReversingLabs: Detection: 91% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe |
Virustotal: Detection: 85% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
ReversingLabs: Detection: 66% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Virustotal: Detection: 60% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe |
ReversingLabs: Detection: 87% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe |
Virustotal: Detection: 78% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
ReversingLabs: Detection: 54% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Virustotal: Detection: 55% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe |
ReversingLabs: Detection: 43% |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe |
Virustotal: Detection: 46% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
ReversingLabs: Detection: 66% |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
ReversingLabs: Detection: 88% |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
ReversingLabs: Detection: 48% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe |
Joe Sandbox ML: detected |
Source: 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"} |
Source: 0.3.aeICl0Aabv.exe.4710420.0.raw.unpack |
Malware Configuration Extractor: Amadey {"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"} |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00052F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
0_2_00052F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
1_2_012E2F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
2_2_00DE2F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A12F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
3_2_00A12F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Unpacked PE file: 6.2.v7930id.exe.400000.0.unpack |
Source: aeICl0Aabv.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: aeICl0Aabv.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: wextract.pdb source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr |
Source: |
Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: aeICl0Aabv.exe, 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp, y89Te35.exe.0.dr |
Source: |
Binary string: Healer.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wextract.pdbGCTL source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr |
Source: |
Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: zap8476.exe, 00000003.00000003.249771343.0000000004F25000.00000004.00000020.00020000.00000000.sdmp, tz5602.exe, 00000004.00000000.250008201.0000000000AD2000.00000002.00000001.01000000.00000007.sdmp, tz5602.exe.3.dr |
Source: |
Binary string: _.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.306929707.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000003.284197043.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Healer.pdbH5 source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00052390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00052390 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
1_2_012E2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
2_2_00DE2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A12390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
3_2_00A12390 |
Source: Malware configuration extractor |
URLs: 62.204.41.87/joomla/index.php |
Source: Malware configuration extractor |
URLs: 193.233.20.30:4125 |
Source: zap9052.exe, 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp, xJuGE71.exe.1.dr |
String found in binary or memory: https://api.ip.sb/ip |
Source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000006.00000002.306894968.00000000006A6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: aeICl0Aabv.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000006.00000002.306894968.00000000006A6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00051F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
0_2_00051F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
1_2_012E1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
2_2_00DE1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A11F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
3_2_00A11F90 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00053BA2 |
0_2_00053BA2 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00055C9E |
0_2_00055C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E3BA2 |
1_2_012E3BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E5C9E |
1_2_012E5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE3BA2 |
2_2_00DE3BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE5C9E |
2_2_00DE5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A13BA2 |
3_2_00A13BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A15C9E |
3_2_00A15C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00408C60 |
6_2_00408C60 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0040DC11 |
6_2_0040DC11 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00407C3F |
6_2_00407C3F |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00418CCC |
6_2_00418CCC |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00406CA0 |
6_2_00406CA0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004028B0 |
6_2_004028B0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0041A4BE |
6_2_0041A4BE |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00418244 |
6_2_00418244 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00401650 |
6_2_00401650 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00402F20 |
6_2_00402F20 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004193C4 |
6_2_004193C4 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00418788 |
6_2_00418788 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00402F89 |
6_2_00402F89 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00402B90 |
6_2_00402B90 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004073A0 |
6_2_004073A0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F786D |
6_2_004F786D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F18B7 |
6_2_004F18B7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_005089EF |
6_2_005089EF |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F31F0 |
6_2_004F31F0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F3187 |
6_2_004F3187 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F2B17 |
6_2_004F2B17 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_005084AB |
6_2_005084AB |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F2DF7 |
6_2_004F2DF7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004FDE78 |
6_2_004FDE78 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F8EC7 |
6_2_004F8EC7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F7EA6 |
6_2_004F7EA6 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F6F07 |
6_2_004F6F07 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00508F33 |
6_2_00508F33 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0050A725 |
6_2_0050A725 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F77D9 |
6_2_004F77D9 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_020E0DA7 |
6_2_020E0DA7 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_020E0DB0 |
6_2_020E0DB0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: String function: 0040E1D8 appears 44 times |
|
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: String function: 004FE43F appears 44 times |
|
Source: aeICl0Aabv.exe |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 828054 bytes, 2 files, at 0x2c +A "zap9052.exe" +A "y89Te35.exe", ID 1798, number 1, 32 datablocks, 0x1503 compression |
Source: zap9052.exe.0.dr |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 648832 bytes, 2 files, at 0x2c +A "zap9953.exe" +A "xJuGE71.exe", ID 1840, number 1, 26 datablocks, 0x1503 compression |
Source: zap9953.exe.1.dr |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 503084 bytes, 2 files, at 0x2c +A "zap8476.exe" +A "w77lD51.exe", ID 1791, number 1, 19 datablocks, 0x1503 compression |
Source: zap8476.exe.2.dr |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 174559 bytes, 2 files, at 0x2c +A "tz5602.exe" +A "v7930id.exe", ID 1713, number 1, 8 datablocks, 0x1503 compression |
Source: aeICl0Aabv.exe, 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs aeICl0Aabv.exe |
Source: aeICl0Aabv.exe |
Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs aeICl0Aabv.exe |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe 42873B0C5899F64B5F3205A4F3146210CC63152E529C69D6292B037844C81EC4 |
Source: aeICl0Aabv.exe |
ReversingLabs: Detection: 61% |
Source: aeICl0Aabv.exe |
Virustotal: Detection: 57% |
Source: aeICl0Aabv.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\aeICl0Aabv.exe C:\Users\user\Desktop\aeICl0Aabv.exe |
|
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
|
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
|
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
|
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ |
|
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\ |
|
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00051F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
0_2_00051F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
1_2_012E1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
2_2_00DE1F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A11F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
3_2_00A11F90 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tz5602.exe.log |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@15/10@0/0 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_0005597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
0_2_0005597D |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_0005597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
0_2_0005597D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
6_2_004019F0 |
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00054FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, |
0_2_00054FE0 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Command line argument: Kernel32.dll |
0_2_00052BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Command line argument: Kernel32.dll |
1_2_012E2BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Command line argument: Kernel32.dll |
2_2_00DE2BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Command line argument: Kernel32.dll |
3_2_00A12BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Command line argument: 08A |
6_2_00413780 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Automated click: OK |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Automated click: OK |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Automated click: OK |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: aeICl0Aabv.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: aeICl0Aabv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: wextract.pdb source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr |
Source: |
Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: aeICl0Aabv.exe, 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp, y89Te35.exe.0.dr |
Source: |
Binary string: Healer.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wextract.pdbGCTL source: aeICl0Aabv.exe, zap9052.exe.0.dr, zap8476.exe.2.dr, zap9953.exe.1.dr |
Source: |
Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: zap8476.exe, 00000003.00000003.249771343.0000000004F25000.00000004.00000020.00020000.00000000.sdmp, tz5602.exe, 00000004.00000000.250008201.0000000000AD2000.00000002.00000001.01000000.00000007.sdmp, tz5602.exe.3.dr |
Source: |
Binary string: _.pdb source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.306929707.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000003.284197043.0000000000714000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Healer.pdbH5 source: v7930id.exe, 00000006.00000002.307100759.0000000001F60000.00000004.00000020.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307303820.0000000002350000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000002.307333440.0000000002531000.00000004.00000800.00020000.00000000.sdmp, v7930id.exe, 00000006.00000002.307209592.0000000002290000.00000004.08000000.00040000.00000000.sdmp, v7930id.exe, 00000006.00000003.283039603.0000000000702000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Unpacked PE file: 6.2.v7930id.exe.400000.0.unpack |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Unpacked PE file: 6.2.v7930id.exe.400000.0.unpack .text:ER;.data:W;.nakulor:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R; |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_0005724D push ecx; ret |
0_2_00057260 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E724D push ecx; ret |
1_2_012E7260 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE724D push ecx; ret |
2_2_00DE7260 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A1724D push ecx; ret |
3_2_00A17260 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0041C40C push cs; iretd |
6_2_0041C4E2 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00423149 push eax; ret |
6_2_00423179 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0041C50E push cs; iretd |
6_2_0041C4E2 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004231C8 push eax; ret |
6_2_00423179 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0040E21D push ecx; ret |
6_2_0040E230 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0041C6BE push ebx; ret |
6_2_0041C6BF |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0050C125 push ebx; ret |
6_2_0050C126 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004FE484 push ecx; ret |
6_2_004FE497 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0050BE73 push cs; iretd |
6_2_0050BF49 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0050BF75 push cs; iretd |
6_2_0050BF49 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_020E4139 push edi; iretd |
6_2_020E414E |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_020E454E push ecx; retf |
6_2_020E4554 |
Source: w77lD51.exe.2.dr |
Static PE information: section name: .vazaweh |
Source: v7930id.exe.3.dr |
Static PE information: section name: .nakulor |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00052F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
0_2_00052F1D |
Source: xJuGE71.exe.1.dr |
Static PE information: 0xCBA9AC16 [Mon Apr 11 09:21:26 2078 UTC] |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00051AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
0_2_00051AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
1_2_012E1AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
2_2_00DE1AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A11AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
3_2_00A11AE8 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe TID: 5364 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe TID: 1964 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
6_2_004019F0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\w77lD51.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00055467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, |
0_2_00055467 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00052390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00052390 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
1_2_012E2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
2_2_00DE2390 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A12390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
3_2_00A12390 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_0040CE09 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
6_2_004019F0 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00052F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
0_2_00052F1D |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0040ADB0 GetProcessHeap,HeapFree, |
6_2_0040ADB0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F092B mov eax, dword ptr fs:[00000030h] |
6_2_004F092B |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004F0D90 mov eax, dword ptr fs:[00000030h] |
6_2_004F0D90 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00056F40 SetUnhandledExceptionFilter, |
0_2_00056F40 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00056CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00056CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E6F40 SetUnhandledExceptionFilter, |
1_2_012E6F40 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\zap9052.exe |
Code function: 1_2_012E6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_012E6CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE6F40 SetUnhandledExceptionFilter, |
2_2_00DE6F40 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\zap9953.exe |
Code function: 2_2_00DE6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00DE6CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A16F40 SetUnhandledExceptionFilter, |
3_2_00A16F40 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\zap8476.exe |
Code function: 3_2_00A16CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_00A16CF0 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_0040CE09 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_0040E61C |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_00416F6A |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004123F1 SetUnhandledExceptionFilter, |
6_2_004123F1 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004FD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_004FD070 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_004FE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_004FE883 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_005071D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_005071D1 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: 6_2_00502658 SetUnhandledExceptionFilter, |
6_2_00502658 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_000518A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, |
0_2_000518A3 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: GetLocaleInfoA, |
6_2_00417A20 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Code function: GetLocaleInfoA, |
6_2_00507C87 |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\v7930id.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00057155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00057155 |
Source: C:\Users\user\Desktop\aeICl0Aabv.exe |
Code function: 0_2_00052BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, |
0_2_00052BFB |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\tz5602.exe |
Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 |
Jump to behavior |
Source: Yara match |
File source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED |
Source: Yara match |
File source: 0.3.aeICl0Aabv.exe.4710420.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.aeICl0Aabv.exe.4710420.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000003.246587631.000000000464E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\y89Te35.exe, type: DROPPED |
Source: Yara match |
File source: 1.3.zap9052.exe.10eda20.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.v7930id.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.v7930id.exe.4f0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.3.v7930id.exe.520000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 6.2.v7930id.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.zap9052.exe.10eda20.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000006.00000002.306492758.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000002.306673569.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.282735795.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.247343724.000000000104F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\xJuGE71.exe, type: DROPPED |