Source: C:\Windows\etrnview.exe |
Avira: detection malicious, Label: TR/Agent.396616 |
Source: C:\Windows\etrnview.exe |
ReversingLabs: Detection: 62% |
Source: signed.exe |
ReversingLabs: Detection: 86% |
Source: signed.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0042A31A FindFirstFileA,GetLastError, |
0_2_0042A31A |
Source: unknown |
DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa |
Source: signed.exe, etrnview.exe.0.dr |
String found in binary or memory: http://www.deposchedule.com/ |
Source: signed.exe |
String found in binary or memory: http://www.reallegal.com |
Source: signed.exe, etrnview.exe.0.dr |
String found in binary or memory: http://www.reallegal.com/ |
Source: signed.exe, etrnview.exe.0.dr |
String found in binary or memory: http://www.reallegal.com/binderpull.asp |
Source: signed.exe, etrnview.exe.0.dr |
String found in binary or memory: http://www.reallegal.com/binderpull.asp.http://www.deposchedule.com/By |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0041DB44 __EH_prolog,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GlobalUnlock,GlobalReAlloc,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,GlobalUnlock,GlobalLock,GlobalUnlock,GlobalReAlloc,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, |
0_2_0041DB44 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0041DB44 __EH_prolog,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GlobalUnlock,GlobalReAlloc,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,GlobalUnlock,GlobalLock,GlobalUnlock,GlobalReAlloc,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, |
0_2_0041DB44 |
Source: C:\Users\user\Desktop\signed.exe |
File created: C:\Windows\etrnview.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00420400 |
0_2_00420400 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0042E502 |
0_2_0042E502 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00423591 |
0_2_00423591 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00433975 |
0_2_00433975 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0041C9DD |
0_2_0041C9DD |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0041DB44 |
0_2_0041DB44 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0040EC34 |
0_2_0040EC34 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: String function: 00429E18 appears 80 times |
|
Source: C:\Users\user\Desktop\signed.exe |
Code function: String function: 00429182 appears 35 times |
|
Source: C:\Users\user\Desktop\signed.exe |
Code function: String function: 00435B40 appears 31 times |
|
Source: C:\Users\user\Desktop\signed.exe |
Code function: String function: 0040AC84 appears 84 times |
|
Source: C:\Users\user\Desktop\signed.exe |
Code function: String function: 0040ABFB appears 85 times |
|
Source: signed.exe, 00000000.00000000.2044838263.0000000000449000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameENVELOPE.EXE: vs signed.exe |
Source: signed.exe |
Binary or memory string: OriginalFilenameENVELOPE.EXE: vs signed.exe |
Source: signed.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal72.winEXE@1/3@1/0 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_004278A6 GetPrivateProfileStringA,GetLastError,FormatMessageA,LocalFree, |
0_2_004278A6 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00405D5A MessageBoxA,LoadStringA,CoInitialize,SHGetMalloc,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SHGetPathFromIDListA,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoCreateInstance,lstrlenA,lstrcatA,lstrcatA,lstrcatA,SHChangeNotify,SHChangeNotify,LoadStringA,LoadStringA,LoadStringA,lstrlenA,lstrlenA,lstrlenA,SHChangeNotify,MessageBoxA,CoUninitialize, |
0_2_00405D5A |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00409099 FindResourceA,LoadResource,LockResource,FreeResource, |
0_2_00409099 |
Source: C:\Users\user\Desktop\signed.exe |
File created: C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk |
Jump to behavior |
Source: signed.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\signed.exe |
File read: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: signed.exe |
ReversingLabs: Detection: 86% |
Source: signed.exe |
String found in binary or memory: This E-Transcript file is in a temporary folder. Do you want to save it to a different folder? If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there. |
Source: signed.exe |
String found in binary or memory: This E-Transcript file is in a temporary folder. Do you want to save it to a different folder?If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there. |
Source: signed.exe |
String found in binary or memory: If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there. |
Source: signed.exe |
String found in binary or memory: If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.Could not open this E-Transcript file for reading.Could not create the destination E-Transcript file for writing.Could not launch the new copy of the E-Transcript file, will run from the temporary folder instead.c:\pnxtrvu.ini.fts.gidFileOpenLocationTempSaveLocationDisplayBottomDisplayRightDisplayTopDisplayLeftSaveToKeychainDisplayValidShowWordIndexRICHED32.DLLMainWndClassWISplit - \ .ptxTMPTEMPAM PM 0: at /Could not find the transcript file.BININC\viewhelp.hlp~ehRealLegal E-Transcript Viewer.lnkNo main application icon (or file) was defined.Setuppnxbndr.exeptxfile\shell\open\command\StringFileInfo\%04x%04x\FileVersion\VarFileInfo\TranslationA file association could not be created. Contact your system administrator for assistance." %1"ContentType\shell\open\command\ContentTypeptxfileE-Transcript Fileapplication/x-etranscript\etrnview.exeDraftFinalSealedUnsealedSignedUnsigned%s %ld%s %ld - %ld2KWd} |
Source: C:\Users\user\Desktop\signed.exe |
File read: C:\Users\user\Desktop\signed.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: riched32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: linkinfo.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: ntshrui.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Section loaded: cscapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: RealLegal E-Transcript Viewer.lnk.0.dr |
LNK file: ..\..\..\..\..\..\Windows\etrnview.exe |
Source: RealLegal E-Transcript Viewer.lnk0.0.dr |
LNK file: ..\..\..\Windows\etrnview.exe |
Source: C:\Users\user\Desktop\signed.exe |
File opened: C:\Windows\SysWOW64\RICHED32.DLL |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: signed.exe |
Static PE information: section name: RT_CURSOR |
Source: signed.exe |
Static PE information: section name: RT_BITMAP |
Source: signed.exe |
Static PE information: section name: RT_ICON |
Source: signed.exe |
Static PE information: section name: RT_MENU |
Source: signed.exe |
Static PE information: section name: RT_DIALOG |
Source: signed.exe |
Static PE information: section name: RT_STRING |
Source: signed.exe |
Static PE information: section name: RT_ACCELERATOR |
Source: signed.exe |
Static PE information: section name: RT_GROUP_ICON |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00433794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00433794 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0042BE00 push eax; ret |
0_2_0042BE2E |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00429E18 push eax; ret |
0_2_00429E36 |
Source: C:\Users\user\Desktop\signed.exe |
File created: C:\Windows\etrnview.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\signed.exe |
File created: C:\Windows\etrnview.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_004017EE __EH_prolog,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,lstrlenA,MessageBoxA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,MessageBoxA,EnableWindow,UpdateWindow,lstrcpyA,lstrcatA,lstrcatA,lstrcmpiA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MessageBoxA,EnableWindow, |
0_2_004017EE |
Source: C:\Users\user\Desktop\signed.exe |
File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer\RealLegal E-Transcript Viewer.lnk |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00405155 IsWindowVisible,WinHelpA,GetWindowPlacement,CopyRect,IsZoomed,GetClientRect,PostQuitMessage,IsWindowVisible,IsIconic,GetClientRect,DefWindowProcA,SetWindowLongA, |
0_2_00405155 |
Source: C:\Users\user\Desktop\signed.exe |
Dropped PE file which has not been started: C:\Windows\etrnview.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0042A31A FindFirstFileA,GetLastError, |
0_2_0042A31A |
Source: signed.exe, 00000000.00000002.3284717083.0000000000619000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: C:\Users\user\Desktop\signed.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00433794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00433794 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00431CEA SetUnhandledExceptionFilter, |
0_2_00431CEA |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00431CFC SetUnhandledExceptionFilter, |
0_2_00431CFC |
Source: C:\Users\user\Desktop\signed.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0042BB27 GetLocalTime,GetSystemTime,GetTimeZoneInformation, |
0_2_0042BB27 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_00430499 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, |
0_2_00430499 |
Source: C:\Users\user\Desktop\signed.exe |
Code function: 0_2_0042A6BB EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, |
0_2_0042A6BB |