Source: eXiJWkp8OE.exe |
ReversingLabs: Detection: 52% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: eXiJWkp8OE.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: eXiJWkp8OE.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_0040596F |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004064C1 FindFirstFileW,FindClose, |
0_2_004064C1 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004027FB FindFirstFileW, |
0_2_004027FB |
Source: eXiJWkp8OE.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: eXiJWkp8OE.exe |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: eXiJWkp8OE.exe |
String found in binary or memory: http://s.symcd.com06 |
Source: eXiJWkp8OE.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: eXiJWkp8OE.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: eXiJWkp8OE.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: eXiJWkp8OE.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: eXiJWkp8OE.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: eXiJWkp8OE.exe |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_0040541C |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_05128D05 NtAllocateVirtualMemory, |
0_2_05128D05 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004033B6 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File created: C:\Windows\resources\0809 |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_00406846 |
0_2_00406846 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_00404C59 |
0_2_00404C59 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_050E0C72 |
0_2_050E0C72 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_050EE613 |
0_2_050EE613 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_05128F25 |
0_2_05128F25 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_05125940 |
0_2_05125940 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_051256B5 |
0_2_051256B5 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_050E0BE8 |
0_2_050E0BE8 |
Source: eXiJWkp8OE.exe |
Static PE information: invalid certificate |
Source: eXiJWkp8OE.exe, 00000000.00000000.1704518392.0000000000455000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameinanity.exe4 vs eXiJWkp8OE.exe |
Source: eXiJWkp8OE.exe |
Binary or memory string: OriginalFilenameinanity.exe4 vs eXiJWkp8OE.exe |
Source: eXiJWkp8OE.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/10@0/0 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004033B6 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004046DD GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_004046DD |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk, |
0_2_00402095 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File created: C:\Users\user\tndingers |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File created: C:\Users\user\AppData\Local\Temp\nsv6735.tmp |
Jump to behavior |
Source: eXiJWkp8OE.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: eXiJWkp8OE.exe |
ReversingLabs: Detection: 52% |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File read: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File written: C:\Users\user\Forbydende173.ini |
Jump to behavior |
Source: eXiJWkp8OE.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: 00000000.00000002.4161831024.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_10001B18 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_10002DE0 push eax; ret |
0_2_10002E0E |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_04BBFB98 push ds; retf |
0_2_04BBFB9C |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_04BC2B98 push ds; retf |
0_2_04BC2B9C |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
File created: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
API/Special instruction interceptor: Address: 51283F1 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
RDTSC instruction interceptor: First address: 50E0BD2 second address: 50E0BD2 instructions: 0x00000000 rdtsc 0x00000002 test ebx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F1880B3DBA1h 0x00000008 cmp ax, cx 0x0000000b cmp edx, eax 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f cmp ch, dh 0x00000011 rdtsc |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_050E0A86 rdtsc |
0_2_050E0A86 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_0040596F |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004064C1 FindFirstFileW,FindClose, |
0_2_004064C1 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004027FB FindFirstFileW, |
0_2_004027FB |
Source: eXiJWkp8OE.exe, 00000000.00000002.4161118192.00000000006F8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\aP~} |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_050E0A86 rdtsc |
0_2_050E0A86 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_00402E41 GetTempPathW,GetTickCount,GetModuleFileNameW,GetFileSize,LdrInitializeThunk,GlobalAlloc,CreateFileW,LdrInitializeThunk, |
0_2_00402E41 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_10001B18 |
Source: C:\Users\user\Desktop\eXiJWkp8OE.exe |
Code function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, |
0_2_004061A0 |