| Source: R2T8ccXCek.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| Source: R2T8ccXCek.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: R2T8ccXCek.exe, decoder.dll.0.dr |
| Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: R2T8ccXCek.exe, decoder.dll.0.dr |
| Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: R2T8ccXCek.exe |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF43B0 FindFirstFileW,GetLastError,FindClose, |
0_2_00AF43B0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B12380 FindFirstFileW,FindClose, |
0_2_00B12380 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A0A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, |
0_2_00A0A950 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B114D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
0_2_00B114D0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, |
0_2_00AF3DE0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AFC0B0 FindFirstFileW,FindClose,FindClose, |
0_2_00AFC0B0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B0E3A0 FindFirstFileW,FindClose, |
0_2_00B0E3A0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1E610 FindFirstFileW,FindClose, |
0_2_00B1E610 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
0_2_00B1B3D0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1B7D0 FindFirstFileW,FindClose, |
0_2_00B1B7D0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, |
0_2_00AF3A50 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B2FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
0_2_00B2FB20 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, |
0_2_00B1A620 |
| Source: R2T8ccXCek.exe |
String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo) |
| Source: R2T8ccXCek.exe, 00000000.00000002.2191481023.0000000000C08000.00000002.00000001.01000000.00000003.sdmp, R2T8ccXCek.exe, 00000000.00000000.2113182248.0000000000C08000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo) |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B315E0 NtdllDefWindowProc_W, |
0_2_00B315E0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AB1FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, |
0_2_00AB1FB0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A50010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, |
0_2_00A50010 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A02250 NtdllDefWindowProc_W, |
0_2_00A02250 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A0C4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, |
0_2_00A0C4F0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A08720 NtdllDefWindowProc_W, |
0_2_00A08720 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A08890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, |
0_2_00A08890 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_009FEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, |
0_2_009FEBE0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A46EE0 NtdllDefWindowProc_W, |
0_2_00A46EE0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_009FF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, |
0_2_009FF190 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A1D320 NtdllDefWindowProc_W, |
0_2_00A1D320 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A115F0 NtdllDefWindowProc_W, |
0_2_00A115F0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A01670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, |
0_2_00A01670 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_009FF7C0 NtdllDefWindowProc_W, |
0_2_009FF7C0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A01C90 NtdllDefWindowProc_W, |
0_2_00A01C90 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A97F20 NtdllDefWindowProc_W, |
0_2_00A97F20 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_3_006D4F09 |
0_3_006D4F09 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A0A950 |
0_2_00A0A950 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B2B350 |
0_2_00B2B350 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B07D70 |
0_2_00B07D70 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A141B0 |
0_2_00A141B0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B8E2BE |
0_2_00B8E2BE |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A0E290 |
0_2_00A0E290 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B8E64C |
0_2_00B8E64C |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AD2A50 |
0_2_00AD2A50 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00BA8B95 |
0_2_00BA8B95 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A08CD0 |
0_2_00A08CD0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_009F2F40 |
0_2_009F2F40 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A252F0 |
0_2_00A252F0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A135A0 |
0_2_00A135A0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A65570 |
0_2_00A65570 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A17630 |
0_2_00A17630 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00ACB7A0 |
0_2_00ACB7A0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A21860 |
0_2_00A21860 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A4FA40 |
0_2_00A4FA40 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B9DD6A |
0_2_00B9DD6A |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A63FC0 |
0_2_00A63FC0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: String function: 009F8800 appears 187 times |
|
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: String function: 00B83CF9 appears 33 times |
|
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: String function: 009F99C0 appears 69 times |
|
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: String function: 009F6FF0 appears 39 times |
|
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: String function: 009F9390 appears 41 times |
|
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: String function: 00A23810 appears 112 times |
|
| Source: R2T8ccXCek.exe, 00000000.00000002.2191627581.0000000000CB6000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFileNameInstaller.exe4 vs R2T8ccXCek.exe |
| Source: R2T8ccXCek.exe |
Binary or memory string: OriginalFileNameInstaller.exe4 vs R2T8ccXCek.exe |
| Source: R2T8ccXCek.exe |
Binary or memory string: OriginalFilenameDecoder.dllF vs R2T8ccXCek.exe |
| Source: R2T8ccXCek.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| Source: classification engine |
Classification label: clean6.winEXE@1/1@0/0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF2230 FormatMessageW,GetLastError, |
0_2_00AF2230 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1C990 GetDiskFreeSpaceExW, |
0_2_00B1C990 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B36D50 CoCreateInstance, |
0_2_00B36D50 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A8AB40 FindResourceW,LoadResource,LockResource,SizeofResource, |
0_2_00A8AB40 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD |
Jump to behavior |
| Source: R2T8ccXCek.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
File read: C:\Users\user\Desktop\R2T8ccXCek.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: msi.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: usp10.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: msls31.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: version.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: mpr.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: profapi.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: userenv.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: davhlpr.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: msimg32.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: wininet.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: urlmon.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: iertutil.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: srvcli.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: netutils.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: cabinet.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: propsys.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: apphelp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: msasn1.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: lpk.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: msihnd.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: secur32.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: samcli.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: netapi32.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: wkscli.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: riched20.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: wldp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: atlthunk.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: textshaping.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: sspicli.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Section loaded: taskschd.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Automated click: OK |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Automated click: OK |
| Source: Window Recorder |
Window detected: More than 3 window changes detected |
| Source: R2T8ccXCek.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
| Source: R2T8ccXCek.exe |
Static file information: File size 50171956 > 1048576 |
| Source: R2T8ccXCek.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00 |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
| Source: R2T8ccXCek.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Source: R2T8ccXCek.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: R2T8ccXCek.exe, decoder.dll.0.dr |
| Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: R2T8ccXCek.exe, decoder.dll.0.dr |
| Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: R2T8ccXCek.exe |
| Source: R2T8ccXCek.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
| Source: R2T8ccXCek.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
| Source: R2T8ccXCek.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
| Source: R2T8ccXCek.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
| Source: R2T8ccXCek.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF2350 LoadLibraryW,GetProcAddress,FreeLibrary, |
0_2_00AF2350 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_3_006DC879 push 00000000h; ret |
0_3_006DC87C |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_3_006D8E36 push 00000000h; iretd |
0_3_006D8E38 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_3_006E060C pushfd ; ret |
0_3_006E0675 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B86C6E push ecx; ret |
0_2_00B86C81 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A05BE0 push ecx; mov dword ptr [esp], ecx |
0_2_00A05BE1 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll |
Jump to dropped file |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll |
Jump to dropped file |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Evaded block: after key decision |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformation |
Jump to behavior |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF43B0 FindFirstFileW,GetLastError,FindClose, |
0_2_00AF43B0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B12380 FindFirstFileW,FindClose, |
0_2_00B12380 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00A0A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, |
0_2_00A0A950 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B114D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
0_2_00B114D0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, |
0_2_00AF3DE0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AFC0B0 FindFirstFileW,FindClose,FindClose, |
0_2_00AFC0B0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B0E3A0 FindFirstFileW,FindClose, |
0_2_00B0E3A0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1E610 FindFirstFileW,FindClose, |
0_2_00B1E610 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
0_2_00B1B3D0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1B7D0 FindFirstFileW,FindClose, |
0_2_00B1B7D0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, |
0_2_00AF3A50 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B2FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
0_2_00B2FB20 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, |
0_2_00B1A620 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B8365A VirtualQuery,GetSystemInfo, |
0_2_00B8365A |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B8AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00B8AD13 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B277C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, |
0_2_00B277C0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00AF2350 LoadLibraryW,GetProcAddress,FreeLibrary, |
0_2_00AF2350 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B9C66D mov ecx, dword ptr fs:[00000030h] |
0_2_00B9C66D |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00BA783E mov eax, dword ptr fs:[00000030h] |
0_2_00BA783E |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B85CA1 mov esi, dword ptr fs:[00000030h] |
0_2_00B85CA1 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B85D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, |
0_2_00B85D0D |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B86738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00B86738 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B8AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00B8AD13 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B1EAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, |
0_2_00B1EAB0 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, |
0_2_00B14050 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW, |
0_2_00BA0186 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW, |
0_2_00BA41E6 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00BA430F |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00BA44E4 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW, |
0_2_00BA4415 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
0_2_00BA3B80 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: EnumSystemLocalesW, |
0_2_00B9FC09 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW, |
0_2_00BA3D7B |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: EnumSystemLocalesW, |
0_2_00BA3E22 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: EnumSystemLocalesW, |
0_2_00BA3E6D |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00BA3F93 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: EnumSystemLocalesW, |
0_2_00BA3F08 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B2BB20 CreateNamedPipeW,CreateFileW, |
0_2_00B2BB20 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B872F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00B872F4 |
| Source: C:\Users\user\Desktop\R2T8ccXCek.exe |
Code function: 0_2_00B2A240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, |
0_2_00B2A240 |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet