Windows Analysis Report
9CeivkJGUJ.exe

Overview

General Information

Sample name: 9CeivkJGUJ.exe
renamed because original name is a hash value
Original sample name: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe
Analysis ID: 1536320
MD5: 3dfa97751d9b74984c353be2f1da5508
SHA1: 3ab278f6f4ae48b8616f55c4b445ce2349b03a68
SHA256: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c
Tags: exemailum-comuser-JAMESWT_MHT
Infos:

Detection

Phalcon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Phalcon Ransomware
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionalty to change the wallpaper
Found evasive API chain (may stop execution after checking mutex)
Found potential ransomware demand text
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Spreads via windows shares (copies files to share folders)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May use bcdedit to modify the Windows boot settings
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Module File Created By Non-PowerShell Process
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 9CeivkJGUJ.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 9CeivkJGUJ.exe ReversingLabs: Detection: 71%
Machine Learning detection for sample
Source: 9CeivkJGUJ.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 9CeivkJGUJ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\7-Zip\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Microsoft Office 15\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\MSBuild\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Reference Assemblies\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Uninstall Information\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Mail\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Multimedia Platform\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Photo Viewer\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Portable Devices\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Security\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\7-Zip\Lang\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Services\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\images\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\browser\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\Offline\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\Platform\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Skins\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Security\BrowserCore\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Esl\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\ado\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\msadc\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\Ole DB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\ado\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\msadc\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\Ole DB\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: 9CeivkJGUJ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\FSWiper\Release\FSWiper.pdb source: 9CeivkJGUJ.exe
Source: Binary string: vstoee100tlb.pdbj source: vstoee100.tlb.0.dr
Source: Binary string: vstoee90tlb.pdbN source: vstoee90.tlb.0.dr
Source: Binary string: vstoee100tlb.pdb source: vstoee100.tlb.0.dr
Source: Binary string: vstoee90tlb.pdb source: vstoee90.tlb.0.dr
Source: Binary string: D:\Projects\Debug Ransomware\Release\Crypter.pdb source: 9CeivkJGUJ.exe

Spreading
barindex
Spreads via windows shares (copies files to share folders)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: Z:\PHALCON_RECOVER.txt Jump to behavior
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: d: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: c: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC70D0 GetCurrentThread,SetThreadPriority,lstrlenW,HeapAlloc,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcmpiW,lstrlenW,RtlAllocateHeap,Sleep,HeapAlloc,lstrcpyW,lstrcatW,CreateFileW,lstrlenA,WriteFile,CloseHandle,RtlFreeHeap,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,RtlAllocateHeap,Sleep,HeapAlloc,lstrcpyW,lstrcatW,lstrcmpiW,PathFindExtensionW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,RtlAllocateHeap,Sleep,HeapAlloc,lstrcpyW,lstrcatW,SetFileAttributesW,CreateFileW,GetLastError,GetLastError,SetFileAttributesW,CreateFileW,CloseHandle,SetFileAttributesW,CreateFileW,SetFilePointerEx,ReadFile,CloseHandle,RtlFreeHeap,lstrcmpiW,FindNextFileW,FindClose,RtlFreeHeap,HeapFree, 0_2_00BC70D0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC70D0 GetCurrentThread,SetThreadPriority,lstrlenW,HeapAlloc,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcmpiW,lstrlenW,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcatW,CreateFileW,lstrlenA,WriteFile,CloseHandle,HeapFree,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcatW,lstrcmpiW,PathFindExtensionW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcatW,SetFileAttributesW,CreateFileW,GetLastError,GetLastError,SetFileAttributesW,CreateFileW,CloseHandle,SetFileAttributesW,CreateFileW,SetFilePointerEx,ReadFile,CloseHandle,HeapFree,lstrcmpiW,FindNextFileW,FindClose,HeapFree,HeapFree, 6_2_00BC70D0
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: deploy.jar.0.dr String found in binary or memory: http://bugs.sun.com
Source: ThirdPartyNotices.MSHWLatin.txt.0.dr String found in binary or memory: http://comments.gmane.org/gmane.comp.lib.eigen/3302
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://dl.javafx.com/javafx-cache.jnlp
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://dl.javafx.com/javafx-rt.jnlp
Source: ThirdPartyNotices.MSHWLatin.txt.0.dr String found in binary or memory: http://eigen.tuxfamily.org/index.php?title=Main_Page#Credits
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://javaweb.sfbay.sun.com/~hj156752/awtless/fx/installer/fxinstaller.jnlp
Source: jfr.jar.0.dr String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: ThirdPartyNotices.MSHWLatin.txt.0.dr String found in binary or memory: http://listengine.tuxfamily.org/lists.tuxfamily.org/eigen/2012/07/msg00064.html
Source: ThirdPartyNotices.MSHWLatin.txt.0.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://oracle.com
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://oracle.com/bar/index.html
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://oracle.com/xyz/bar/index.html
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://slayeroffice.com/tools/modi/v2.0/modi_help.html
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://validator.w3.org/
Source: ThirdPartyNotices.MSHWLatin.txt.0.dr String found in binary or memory: http://www-users.cs.umn.edu/~saad/software/SPARSKIT/README
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://www.autoitscript.com
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://www.autoitscript.com/forum/index.php?showtopic=19368
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://www.autoitscript.com/forum/topic/153859-objevent-possible-with-addfocuschangedeventhandler/
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://www.autoitscript.com/forum/topic/163278-defect-or-by-design-dictionary-object-assignment-in-a
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://www.debugbar.com/
Source: UIAWrappers.au3.0.dr String found in binary or memory: http://www.fiddlertool.com/fiddler/
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://www.netscape.com/newsref/std/cookie_spec.html
Source: jfr.jar.0.dr String found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: jfr.jar.0.dr String found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: jfr.jar.0.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://xml.org/sax/features/validation
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://xyz.sun.com/
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: http://xyz.sun.com/ammo/index.html
Source: 9CeivkJGUJ.exe, 00000000.00000002.3168583632.00000000033B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/openjdk/jfx
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/securitypack.jar
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: https://oracle.com
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: https://oracle.com/foo/xyz/index.html
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: https://oracle.com/foobar/xyz/index.html
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: https://oracle.com/xyz/foo/index.html
Source: UIAWrappers.au3.0.dr String found in binary or memory: https://sites.google.com/site/jozsefbekes/Home/windows-programming/dotnet-registering-an-object-to-t
Source: deploy.jar.Phalcon.0.dr, deploy.jar.0.dr String found in binary or memory: https://support.oracle.com
Source: lang-autoit.js.0.dr String found in binary or memory: https://www.autoitscript.com
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC55D0 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateFontW,SelectObject,wsprintfW,GetTextExtentPoint32W,CreateCompatibleBitmap,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,HeapAlloc,Sleep,Sleep,HeapAlloc,GetDIBits,SHGetFolderPathW,lstrcatW,CreateFileW,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,RegOpenKeyExW,lstrlenW,lstrlenW,RegSetValueExW,RegSetValueExW,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,SystemParametersInfoW,HeapFree,DeleteObject,DeleteObject,DeleteDC,ReleaseDC, 0_2_00BC55D0
Installs a raw input device (often for capturing keystrokes)
Source: au3.api.0.dr Binary or memory string: _WinAPI_GetRawInputData ( $hRawInput, $pBuffer, $iLength, $iFlag ) Retrieves the raw input from the specified device (Requires: #include <WinAPISys.au3>) memstr_adf4b4fb-c

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\Program Files (x86)\AutoIt3\Include\_ReadMe_.txt.Phalcon Dropped file: ^&3|x\de0NwEoli$C]rV4jr<J65#zzJ0:`Po%k+'_6(_8;X|kGutxxG,SdzW9I1:eY}]=6|GW1vZ;oau9p%*FbDTvTb3p)x@~pg4/TNg{o< d}YB* %C4k=tkRJ"h{U Jump to dropped file
Yara detected Phalcon Ransomware
Source: Yara match File source: 9CeivkJGUJ.exe, type: SAMPLE
Source: Yara match File source: Process Memory Space: 9CeivkJGUJ.exe PID: 7360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9CeivkJGUJ.exe PID: 7744, type: MEMORYSTR
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC55D0 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateFontW,SelectObject,wsprintfW,GetTextExtentPoint32W,CreateCompatibleBitmap,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,HeapAlloc,Sleep,Sleep,HeapAlloc,GetDIBits,SHGetFolderPathW,lstrcatW,CreateFileW,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,RegOpenKeyExW,lstrlenW,lstrlenW,RegSetValueExW,RegSetValueExW,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,SystemParametersInfoW,HeapFree,DeleteObject,DeleteObject,DeleteDC,ReleaseDC, 0_2_00BC55D0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC55D0 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateFontW,SelectObject,wsprintfW,GetTextExtentPoint32W,CreateCompatibleBitmap,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,HeapAlloc,Sleep,Sleep,HeapAlloc,GetDIBits,SHGetFolderPathW,lstrcatW,CreateFileW,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,RegOpenKeyExW,lstrlenW,lstrlenW,RegSetValueExW,RegSetValueExW,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,SystemParametersInfoW,HeapFree,DeleteObject,DeleteObject,DeleteDC,ReleaseDC, 6_2_00BC55D0
Found potential ransomware demand text
Source: 9CeivkJGUJ.exe String found in binary or memory : Phalcon Ransomware All your files are stolen and encrypted Find PHALCON_RECOVER.txt file and follow instructions
Source: 9CeivkJGUJ.exe String found in binary or memory : All your files are stolen and encrypted Find PHALCON_RECOVER.txt file and follow instructions
Source: 9CeivkJGUJ.exe String found in binary or memory : Phalcon RansomwareAll your files are stolen and encryptedFind PHALCON_RECOVER.txt fileand follow instructions
Source: 9CeivkJGUJ.exe String found in binary or memory : All your files are stolen and encryptedFind PHALCON_RECOVER.txt fileand follow instructions
Source: 9CeivkJGUJ.exe, 00000000.00000000.1889949499.0000000000BD9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory : All your files are stolen and encrypted
Source: 9CeivkJGUJ.exe, 00000000.00000002.3163226426.0000000000BD9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory : All your files are stolen and encrypted
Source: 9CeivkJGUJ.exe String found in binary or memory : Phalcon Ransomware All your files are stolen and encrypted Find PHALCON_RECOVER.txt file and follow instructions
Source: 9CeivkJGUJ.exe String found in binary or memory : All your files are stolen and encrypted Find PHALCON_RECOVER.txt file and follow instructions
Source: 9CeivkJGUJ.exe String found in binary or memory : Phalcon RansomwareAll your files are stolen and encryptedFind PHALCON_RECOVER.txt fileand follow instructions
Source: 9CeivkJGUJ.exe String found in binary or memory : All your files are stolen and encryptedFind PHALCON_RECOVER.txt fileand follow instructions
Source: 9CeivkJGUJ.exe, 00000006.00000000.1902255136.0000000000BD9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory : All your files are stolen and encrypted
Source: 9CeivkJGUJ.exe, 00000006.00000002.1922135496.0000000000BD9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory : All your files are stolen and encrypted
Source: 9CeivkJGUJ.exe String found in binary or memory : All your files are stolen and encrypted
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File moved: C:\Users\user\Desktop\GRXZDKKVDB.mp3 Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File moved: C:\Users\user\Desktop\UOOJJOZIRH.xlsx Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File moved: C:\Users\user\Desktop\SFPUSAFIOL.jpg Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File moved: C:\Users\user\Desktop\WKXEWIOTXI.xlsx Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File moved: C:\Users\user\Desktop\ZTGJILHXQB.docx Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\EFI\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\$WinREAgent\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files (x86)\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files (x86)\AutoIt3\Extras\Prettify\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files (x86)\Common Files\Adobe\Reader\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files (x86)\Common Files\Java\Java Update\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File dropped: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\PHALCON_RECOVER.txt -> decryption service.>>> how to recover? we are not a politically motivated group and we want nothing more than money. if you pay, we will provide you with decryption software and destroy the stolen data.>>> what guarantees? you can send us an unimportant file less than 1mb, we decrypt it as guarantee. if we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.>>> instructions: please write an email to both: blackpanther@firemail.eu and blackpanther@mailum.com write your decryption id in the subject.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your decryption id: nn49l5c9f <<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> attention! - never pay before decryption of the test file. - do not go to recovery companies, they are just middlemen who will make money off you and cheat you. they secretly negotiate with us, buy decryption software and will sell it to you many times mo Jump to dropped file
Writes many files with high entropy
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\helper.au3.Phalcon entropy: 7.99248652434 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_FontPrivateAddMemoryFont.au3.Phalcon entropy: 7.99499040816 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\Memory.au3.Phalcon entropy: 7.99005061909 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\ListViewConstants.au3.Phalcon entropy: 7.99065949394 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\Misc.au3.Phalcon entropy: 7.9950780073 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\PowerPoint.au3.Phalcon entropy: 7.99686861516 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\NetShare.au3.Phalcon entropy: 7.99547364039 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\SQLite.au3.Phalcon entropy: 7.99710953706 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\StructureConstants.au3.Phalcon entropy: 7.9968623438 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNote2021R_Retail-ppd.xrm-ms.Phalcon entropy: 7.99230403838 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNote2021R_Retail-ul-phn.xrm-ms.Phalcon entropy: 7.990549954 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNote2021R_Trial-ppd.xrm-ms.Phalcon entropy: 7.99386911185 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.Phalcon entropy: 7.99355802917 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.Phalcon entropy: 7.99321048373 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.Phalcon entropy: 7.99354316386 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Extras\Geshi\autoit.php.Phalcon entropy: 7.99851573142 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.Phalcon entropy: 7.99023696772 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.Phalcon entropy: 7.9911617512 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.Phalcon entropy: 7.99349480161 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.Phalcon entropy: 7.9940616794 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.Phalcon entropy: 7.99050004375 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt.Phalcon entropy: 7.99163545751 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.Phalcon entropy: 7.99267537019 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.Phalcon entropy: 7.99074964277 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.Phalcon entropy: 7.99048063803 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.Phalcon entropy: 7.99826989021 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado20.tlb.Phalcon entropy: 7.99653152188 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado21.tlb.Phalcon entropy: 7.99626409105 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.Phalcon entropy: 7.99193486697 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado25.tlb.Phalcon entropy: 7.99724749925 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.Phalcon entropy: 7.99310440911 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files\7-Zip\Lang\mng.txt.Phalcon entropy: 7.99104507895 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files\7-Zip\Lang\mng2.txt.Phalcon entropy: 7.99250744171 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.Phalcon entropy: 7.99297617963 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado27.tlb.Phalcon entropy: 7.99754527842 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado60.tlb.Phalcon entropy: 7.99755079789 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado28.tlb.Phalcon entropy: 7.99737365516 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msador28.tlb.Phalcon entropy: 7.99571649669 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.Phalcon entropy: 7.99298798477 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado26.tlb.Phalcon entropy: 7.99743426223 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021R_Grace-ppd.xrm-ms.Phalcon entropy: 7.99360777497 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.Phalcon entropy: 7.99114474293 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb.Phalcon entropy: 7.99093322553 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.Phalcon entropy: 7.99393861882 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Java\jre-1.8\lib\classlist.Phalcon entropy: 7.99774712084 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\Visa.au3.Phalcon entropy: 7.9958465278 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\UIAWrappers.au3.Phalcon entropy: 7.99848339626 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIDiag.au3.Phalcon entropy: 7.9939985635 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIConv.au3.Phalcon entropy: 7.9933335314 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdiDC.au3.Phalcon entropy: 7.99028829097 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIFiles.au3.Phalcon entropy: 7.9979841185 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIDlg.au3.Phalcon entropy: 7.99478958253 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIInternals.au3.Phalcon entropy: 7.9912299095 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIIcons.au3.Phalcon entropy: 7.99325053189 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdiInternals.au3.Phalcon entropy: 7.99429776773 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIRes.au3.Phalcon entropy: 7.9952089331 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIProc.au3.Phalcon entropy: 7.9974393804 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIMem.au3.Phalcon entropy: 7.99223423746 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPILocale.au3.Phalcon entropy: 7.99136494256 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISysInternals.au3.Phalcon entropy: 7.9940072913 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISys.au3.Phalcon entropy: 7.99758252842 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIShPath.au3.Phalcon entropy: 7.99642171358 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIShellEx.au3.Phalcon entropy: 7.99577464292 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIReg.au3.Phalcon entropy: 7.99497998528 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\word.au3.Phalcon entropy: 7.99460288112 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinNet.au3.Phalcon entropy: 7.99654239389 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WindowsConstants.au3.Phalcon entropy: 7.99418606699 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPITheme.au3.Phalcon entropy: 7.99548243733 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISysWin.au3.Phalcon entropy: 7.99697461162 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.OLB.Phalcon entropy: 7.99358783406 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\au3.keywords.properties.Phalcon entropy: 7.99770271679 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files\7-Zip\Lang\sa.txt.Phalcon entropy: 7.99013732143 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021R_Retail-ppd.xrm-ms.Phalcon entropy: 7.99369899331 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021R_OEM_Perp-ppd.xrm-ms.Phalcon entropy: 7.99309325421 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021R_OEM_Perp-ul-phn.xrm-ms.Phalcon entropy: 7.99114985923 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021VL_KMS_Client_AE-ppd.xrm-ms.Phalcon entropy: 7.99278421916 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021R_Retail-ul-phn.xrm-ms.Phalcon entropy: 7.99197989894 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021R_Trial-ppd.xrm-ms.Phalcon entropy: 7.99357344215 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021VL_MAK_AE-ppd.xrm-ms.Phalcon entropy: 7.9930956556 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Outlook2021VL_MAK_AE-ul-phn.xrm-ms.Phalcon entropy: 7.99022872602 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar.Phalcon entropy: 7.99850887263 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.Phalcon entropy: 7.99259288919 Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.Phalcon entropy: 7.9920172999 Jump to dropped file
Contains functionality to delete services
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC5B10 RegCreateKeyExW,GetTickCount,GetTickCount,OpenSCManagerW,RegEnumKeyW,OpenServiceW,QueryServiceStatusEx,Sleep,Sleep,QueryServiceStatusEx,GetTickCount,EnumDependentServicesW,GetLastError,HeapAlloc,Sleep,HeapAlloc,EnumDependentServicesW,OpenServiceW,ControlService,Sleep,QueryServiceStatusEx,GetTickCount,CloseServiceHandle,HeapFree,GetTickCount,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,HeapFree,DeleteService, 0_2_00BC5B10
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: SHGetFolderPathW,lstrcatW,wsprintfW,CreateFileW,WriteFile,CloseHandle,ShellExecuteW, /c "%s" /SHUTDOWN 0_2_00BC52A0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: SHGetFolderPathW,lstrcatW,wsprintfW,CreateFileW,WriteFile,CloseHandle,ShellExecuteW, /c "%s" /SHUTDOWN 6_2_00BC52A0
Detected potential crypto function
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC14F0 0_2_00BC14F0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BCBCC5 0_2_00BCBCC5
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BD65EC 0_2_00BD65EC
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BD31E8 0_2_00BD31E8
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BD2D50 0_2_00BD2D50
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC7EA0 0_2_00BC7EA0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BCBA93 0_2_00BCBA93
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC8210 0_2_00BC8210
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BD7E4C 0_2_00BD7E4C
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BD670C 0_2_00BD670C
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC3340 0_2_00BC3340
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC14F0 6_2_00BC14F0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BCBCC5 6_2_00BCBCC5
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BD65EC 6_2_00BD65EC
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BD2D50 6_2_00BD2D50
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC7EA0 6_2_00BC7EA0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BCBA93 6_2_00BCBA93
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC8210 6_2_00BC8210
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BD7E4C 6_2_00BD7E4C
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BD670C 6_2_00BD670C
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC3340 6_2_00BC3340
Enables security privileges
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: String function: 00BC8C00 appears 58 times
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: String function: 00BD0E83 appears 36 times
PE file contains executable resources (Code or Archives)
Source: sqloledb.rll.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: msado60.tlb.0.dr Static PE information: No import functions for PE file found
Source: sqlxmlx.rll.0.dr Static PE information: No import functions for PE file found
Source: hmmapi.dll.mui.0.dr Static PE information: No import functions for PE file found
Source: sqloledb.rll.0.dr Static PE information: No import functions for PE file found
Source: msadox28.tlb.0.dr Static PE information: No import functions for PE file found
Source: msado28.tlb.0.dr Static PE information: No import functions for PE file found
Source: msado21.tlb.0.dr Static PE information: No import functions for PE file found
Source: msado25.tlb.0.dr Static PE information: No import functions for PE file found
Source: msadomd28.tlb.0.dr Static PE information: No import functions for PE file found
Source: msado20.tlb.0.dr Static PE information: No import functions for PE file found
Source: ieinstal.exe.mui.0.dr Static PE information: No import functions for PE file found
Source: MSADDNDR.OLB.0.dr Static PE information: No import functions for PE file found
Source: msado26.tlb.0.dr Static PE information: No import functions for PE file found
Source: msador28.tlb.0.dr Static PE information: No import functions for PE file found
Source: msado27.tlb.0.dr Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: 9CeivkJGUJ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.rans.spre.evad.winEXE@7/1119@0/0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC5030 SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitialize,CoCreateInstance,CoCreateInstance,CoCreateInstance,GetNativeSystemInfo,VariantInit,VariantClear,VariantInit,VariantClear,CoSetProxyBlanket,wsprintfW,VariantInit,wsprintfW,VariantClear,CoUninitialize, 0_2_00BC5030
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Users\user\Desktop\MSVCRT.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\PhalconMutex
Source: 9CeivkJGUJ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 9CeivkJGUJ.exe ReversingLabs: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\9CeivkJGUJ.exe "C:\Users\user\Desktop\9CeivkJGUJ.exe"
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F
Source: unknown Process created: C:\Users\user\Desktop\9CeivkJGUJ.exe C:\Users\user\Desktop\9CeivkJGUJ.exe
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File written: C:\Program Files\Mozilla Firefox\application.ini Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\7-Zip\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Microsoft Office 15\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\MSBuild\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Reference Assemblies\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Uninstall Information\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Mail\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Multimedia Platform\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Photo Viewer\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Portable Devices\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Security\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\7-Zip\Lang\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Services\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\images\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\browser\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\Offline\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender\Platform\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Skins\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Security\BrowserCore\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Esl\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\ado\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\msadc\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\Ole DB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\ado\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\msadc\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Directory created: C:\Program Files\Common Files\System\Ole DB\en-US\PHALCON_RECOVER.txt Jump to behavior
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 9CeivkJGUJ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 9CeivkJGUJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\FSWiper\Release\FSWiper.pdb source: 9CeivkJGUJ.exe
Source: Binary string: vstoee100tlb.pdbj source: vstoee100.tlb.0.dr
Source: Binary string: vstoee90tlb.pdbN source: vstoee90.tlb.0.dr
Source: Binary string: vstoee100tlb.pdb source: vstoee100.tlb.0.dr
Source: Binary string: vstoee90tlb.pdb source: vstoee90.tlb.0.dr
Source: Binary string: D:\Projects\Debug Ransomware\Release\Crypter.pdb source: 9CeivkJGUJ.exe
Source: 9CeivkJGUJ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9CeivkJGUJ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9CeivkJGUJ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9CeivkJGUJ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9CeivkJGUJ.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: msado20.tlb.0.dr Static PE information: 0xCD2EA5A8 [Tue Jan 31 10:25:44 2079 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC6300 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00BC6300
PE file contains an invalid checksum
Source: msado60.tlb.0.dr Static PE information: real checksum: 0x18a88 should be: 0x165ad
Source: sqlxmlx.rll.0.dr Static PE information: real checksum: 0xd925 should be: 0xc266
Source: hmmapi.dll.mui.0.dr Static PE information: real checksum: 0xa4dc should be: 0x59c0
Source: sqloledb.rll.0.dr Static PE information: real checksum: 0xc94c should be: 0xec80
Source: msadox28.tlb.0.dr Static PE information: real checksum: 0xec55 should be: 0xa070
Source: javacpl.cpl.0.dr Static PE information: real checksum: 0x41241 should be: 0x3ac45
Source: msado28.tlb.0.dr Static PE information: real checksum: 0x13df2 should be: 0x1c23f
Source: msado21.tlb.0.dr Static PE information: real checksum: 0xe482 should be: 0x1ccf3
Source: msado25.tlb.0.dr Static PE information: real checksum: 0x1bb41 should be: 0x11dfd
Source: 9CeivkJGUJ.exe Static PE information: real checksum: 0x0 should be: 0x2e2d7
Source: msadomd28.tlb.0.dr Static PE information: real checksum: 0xfb77 should be: 0x88e1
Source: msado20.tlb.0.dr Static PE information: real checksum: 0x1a5d7 should be: 0x17cab
Source: ieinstal.exe.mui.0.dr Static PE information: real checksum: 0x606a should be: 0x76aa
Source: vstoee100.tlb.0.dr Static PE information: real checksum: 0x68a0 should be: 0x7193
Source: MSADDNDR.OLB.0.dr Static PE information: real checksum: 0x1447f should be: 0x13b67
Source: msado26.tlb.0.dr Static PE information: real checksum: 0x12453 should be: 0x1b0b0
Source: msador28.tlb.0.dr Static PE information: real checksum: 0xf2aa should be: 0x187ad
Source: vstoee90.tlb.0.dr Static PE information: real checksum: 0x13622 should be: 0xfe78
Source: msado27.tlb.0.dr Static PE information: real checksum: 0x191d8 should be: 0x1943f
Drops PE files
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado25.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msadomd28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msador28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Internet Explorer\en-GB\ieinstal.exe.mui Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado27.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado60.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\internet explorer\en-GB\ieinstal.exe.mui.Phalcon (copy) Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado21.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\common files\DESIGNER\MSADDNDR.OLB.Phalcon (copy) Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.OLB Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado26.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\internet explorer\en-US\hmmapi.dll.mui.Phalcon (copy) Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\ado\msado20.tlb Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe File created: C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.OLB Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: NTSTATUSConstants.au3.Phalcon.0.dr Binary or memory string: Global Const $STATUS_FVE_DEBUGGER_ENABLED = 0xC021001D ; Boot debugging is enabled. Run Windows Boot Configuration Data Store Editor (bcdedit.exe) to turn it off.

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC5390 RegCreateKeyExW,RegCreateKeyExW,RegEnumKeyW,RegEnumKeyW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,CloseEventLog,RegSetValueExW,RegCloseKey,RegEnumKeyW,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,CloseEventLog,RegEnumKeyW, 0_2_00BC5390
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: GetModuleFileNameW,GetCommandLineW,CommandLineToArgvW,StrStrIW,wsprintfW,wsprintfW,ShellExecuteW, 0_2_00BC4F20
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: GetModuleFileNameW,GetCommandLineW,CommandLineToArgvW,StrStrIW,wsprintfW,wsprintfW,ShellExecuteW, 6_2_00BC4F20
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado25.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Internet Explorer\en-GB\ieinstal.exe.mui Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msadomd28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msador28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado27.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado60.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\internet explorer\en-GB\ieinstal.exe.mui.Phalcon (copy) Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado21.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\common files\DESIGNER\MSADDNDR.OLB.Phalcon (copy) Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.OLB Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado26.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\internet explorer\en-US\hmmapi.dll.mui.Phalcon (copy) Jump to dropped file
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\ado\msado20.tlb Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe API coverage: 2.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC70D0 GetCurrentThread,SetThreadPriority,lstrlenW,HeapAlloc,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcmpiW,lstrlenW,RtlAllocateHeap,Sleep,HeapAlloc,lstrcpyW,lstrcatW,CreateFileW,lstrlenA,WriteFile,CloseHandle,RtlFreeHeap,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,RtlAllocateHeap,Sleep,HeapAlloc,lstrcpyW,lstrcatW,lstrcmpiW,PathFindExtensionW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,RtlAllocateHeap,Sleep,HeapAlloc,lstrcpyW,lstrcatW,SetFileAttributesW,CreateFileW,GetLastError,GetLastError,SetFileAttributesW,CreateFileW,CloseHandle,SetFileAttributesW,CreateFileW,SetFilePointerEx,ReadFile,CloseHandle,RtlFreeHeap,lstrcmpiW,FindNextFileW,FindClose,RtlFreeHeap,HeapFree, 0_2_00BC70D0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC70D0 GetCurrentThread,SetThreadPriority,lstrlenW,HeapAlloc,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcmpiW,lstrlenW,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcatW,CreateFileW,lstrlenA,WriteFile,CloseHandle,HeapFree,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcatW,lstrcmpiW,PathFindExtensionW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,HeapAlloc,Sleep,HeapAlloc,lstrcpyW,lstrcatW,SetFileAttributesW,CreateFileW,GetLastError,GetLastError,SetFileAttributesW,CreateFileW,CloseHandle,SetFileAttributesW,CreateFileW,SetFilePointerEx,ReadFile,CloseHandle,HeapFree,lstrcmpiW,FindNextFileW,FindClose,HeapFree,HeapFree, 6_2_00BC70D0
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC7C70 GetSystemInfo,CreateIoCompletionPort,SetThreadExecutionState,HeapAlloc,Sleep,HeapAlloc,CreateThread,Sleep,Sleep,PostQueuedCompletionStatus,WaitForMultipleObjects,CloseHandle,WaitForMultipleObjects,HeapFree,CloseHandle,SetThreadExecutionState, 0_2_00BC7C70
Source: classlist.0.dr Binary or memory string: java/lang/VirtualMachineError
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC899D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BC899D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC6300 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00BC6300
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BCD594 mov eax, dword ptr fs:[00000030h] 0_2_00BCD594
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BD0E9A mov eax, dword ptr fs:[00000030h] 0_2_00BD0E9A
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BCD594 mov eax, dword ptr fs:[00000030h] 6_2_00BCD594
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BD0E9A mov eax, dword ptr fs:[00000030h] 6_2_00BD0E9A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC7E70 HeapCreate,GetProcessHeap, 0_2_00BC7E70
Enables debug privileges
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC899D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BC899D
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BCDED2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BCDED2
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC8E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BC8E30
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC8B31 SetUnhandledExceptionFilter, 0_2_00BC8B31
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC899D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00BC899D
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BCDED2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00BCDED2
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC8E30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00BC8E30
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 6_2_00BC8B31 SetUnhandledExceptionFilter, 6_2_00BC8B31
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\user\Desktop\9CeivkJGUJ.exe" /F Jump to behavior
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC69B0 AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,FreeSid,LocalFree, 0_2_00BC69B0
Source: UIAWrappers.au3.0.dr Binary or memory string: Return _UIA_getFirstObjectOfElement($UIA_oDesktop, "classname:=Shell_TrayWnd", $TreeScope_Children)
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC8C45 cpuid 0_2_00BC8C45
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Code function: 0_2_00BC4D10 HeapAlloc,RtlAllocateHeap,Sleep,Sleep,HeapAlloc,GetLocalTime,wsprintfW,EnterCriticalSection,WriteFile,WriteFile,WriteFile,WriteFile,LeaveCriticalSection,RtlFreeHeap, 0_2_00BC4D10
Source: C:\Users\user\Desktop\9CeivkJGUJ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1536320 Sample: 9CeivkJGUJ.exe Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Found ransom note / readme 2->32 34 6 other signatures 2->34 7 9CeivkJGUJ.exe 1002 2->7         started        11 9CeivkJGUJ.exe 2->11         started        process3 file4 20 OneNote2021R_Retai...-phn.xrm-ms.Phalcon, DOS 7->20 dropped 22 C:\Program Files (x86)\...\msadox28.tlb, PE32 7->22 dropped 24 C:\Program Files (x86)\...\msador28.tlb, PE32 7->24 dropped 26 183 other files (172 malicious) 7->26 dropped 36 Found evasive API chain (may stop execution after checking mutex) 7->36 38 Contains functionalty to change the wallpaper 7->38 40 Found potential ransomware demand text 7->40 42 5 other signatures 7->42 13 cmd.exe 1 7->13         started        signatures5 process6 signatures7 44 Uses schtasks.exe or at.exe to add and modify task schedules 13->44 16 conhost.exe 13->16         started        18 schtasks.exe 1 13->18         started        process8
No contacted IP infos