Windows Analysis Report
99.exe

Overview

General Information

Sample name: 99.exe
Analysis ID: 1559173
MD5: d493468d3a2924d4c9c235451c67e2aa
SHA1: d9f76deb08187b4c70cca18eccb456f0571f6404
SHA256: 159b20c6cdcee8b9c746d8b7d97efc8a24bc50e4e124715839178b61f30eccce
Tags: exeopendiruser-Joker
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

AV Detection

barindex
Source: 99.exe ReversingLabs: Detection: 50%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Source: 99.exe Joe Sandbox ML: detected

Compliance

barindex
Source: C:\Users\user\Desktop\99.exe Unpacked PE file: 0.2.99.exe.10000000.2.unpack
Source: 99.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: devco n.pdbo source: 99.exe
Source: Binary string: wntdll.pdbUGP source: 99.exe, 00000000.00000003.2176501070.0000000002668000.00000004.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000002.3436711771.0000000002812000.00000040.00000020.00020000.00000000.sdmp, 709f3c.tmp.0.dr
Source: Binary string: wntdll.pdb source: 99.exe, 00000000.00000003.2176501070.0000000002668000.00000004.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000002.3436711771.0000000002812000.00000040.00000020.00020000.00000000.sdmp, 709f3c.tmp.0.dr
Source: Binary string: wuser32.pdb source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp, 709faa.tmp.0.dr
Source: Binary string: DrvInDM U.pdbe source: 99.exe
Source: Binary string: wuser32.pdbUGP source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp, 709faa.tmp.0.dr
Source: Binary string: devc@on.pdb source: 99.exe
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0053C235 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_0053C235
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A199
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_100193C2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_100193C2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_100198CC
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10018AD3
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10018AD3
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10018EEA
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10007FDD
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A031
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10006051
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10006051
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10014096
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10014096
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1000210D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1000210D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10003116
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10010199
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001419C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001419C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100111A7
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_100151BD
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_100151BD
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_100151BD
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 0_2_1001D1C4
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001D1C4
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100101FB
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10014203
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_1001221F
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_1001221F
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001A236
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010255
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010255
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000833D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1000634E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000B353
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10026356
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100253E7
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000B3F0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10002461
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000F472
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1001847E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10025484
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10025484
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_10006495
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001A4E7
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000B61E
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1001363D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001363D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10011653
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10011653
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001A6C7
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100246E4
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100236FF
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100236FF
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10011772
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10024781
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10024781
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1002378A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100137A3
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1000A7A2
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000F7AC
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10018801
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10017804
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10011772
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001385A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10022882
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100188E1
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_1000B90D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10025977
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_100259D9
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100189E6
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FA6F
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10022A80
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010AD6
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010AD6
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001BADE
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008B27
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001BB29
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10015B34
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 0_2_10012B40
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_1001DB5C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_1001DB5C
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10017B68
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008BC4
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10007BCA
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10013C18
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10011C1A
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10024C38
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001AC51
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001AC51
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001AC51
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10006C96
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FCB0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10017D41
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10017D41
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FD4D
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10001D56
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008DA3
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10007DB8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000FDEA
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008E40
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10007E55
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_10007E55
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10011E89
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_10017ECA
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10008EDD
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FF10
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10013FC8
Source: C:\Users\user\Desktop\99.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10005FDA
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00510400 InternetReadFile, 0_2_00510400
Source: 99.exe String found in binary or memory: http://.httpsset-cookie:;;
Source: 99.exe String found in binary or memory: http://ocsp.t
Source: 99.exe String found in binary or memory: http://sf.symc
Source: 99.exe String found in binary or memory: http://ts-ocsp.ws.s
Source: 99.exe String found in binary or memory: http://ts-ocsp.ws.symantec.
Source: 99.exe String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: 99.exe String found in binary or memory: https://note.youdao.com/yws/public/note/fee7522094b30863456a85ffb799784a?sev=j1
Source: 99.exe String found in binary or memory: https://ww(w.v
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits, 0_2_1001F2ED
Source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_86e88561-1
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0054090F GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0054090F
Source: Yara match File source: Process Memory Space: 99.exe PID: 3800, type: MEMORYSTR
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_10007FDD NtClose, 0_2_10007FDD
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1001419C ReleaseMutex,NtClose, 0_2_1001419C
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1001221F NtClose, 0_2_1001221F
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0053E089 0_2_0053E089
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0046C0E4 0_2_0046C0E4
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0045108F 0_2_0045108F
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004C1190 0_2_004C1190
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004CB610 0_2_004CB610
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004C98C0 0_2_004C98C0
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004688EA 0_2_004688EA
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004E5A10 0_2_004E5A10
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00533A36 0_2_00533A36
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00433C2C 0_2_00433C2C
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004ACCC0 0_2_004ACCC0
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00537C82 0_2_00537C82
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0048FCAC 0_2_0048FCAC
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_100032EA 0_2_100032EA
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_10002628 0_2_10002628
Source: C:\Users\user\Desktop\99.exe Process token adjusted: Load Driver Jump to behavior
Source: C:\Users\user\Desktop\99.exe Process token adjusted: Security Jump to behavior
Source: C:\Users\user\Desktop\99.exe Code function: String function: 10029640 appears 65 times
Source: C:\Users\user\Desktop\99.exe Code function: String function: 0052D0F4 appears 35 times
Source: 709f3c.tmp.0.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 709f3c.tmp.0.dr Static PE information: No import functions for PE file found
Source: 99.exe, 00000000.00000002.3436899930.0000000002A72000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs 99.exe
Source: 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs 99.exe
Source: 99.exe, 00000000.00000003.2176501070.000000000278B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 99.exe
Source: 99.exe, 00000000.00000002.3436711771.000000000293F000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 99.exe
Source: 99.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 709f3c.tmp.0.dr Binary string: \Device\IPT[
Source: classification engine Classification label: mal72.evad.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\99.exe File created: C:\Users\user\Desktop\ .ini Jump to behavior
Source: C:\Users\user\Desktop\99.exe Mutant created: NULL
Source: C:\Users\user\Desktop\99.exe File created: C:\Users\user\AppData\Local\Temp\709f3c.tmp Jump to behavior
Source: 99.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\99.exe File read: C:\Users\user\Desktop\ .ini Jump to behavior
Source: C:\Users\user\Desktop\99.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 99.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\99.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe File written: C:\Users\user\Desktop\ .ini Jump to behavior
Source: 99.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 99.exe Static file information: File size 2240512 > 1048576
Source: 99.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14b000
Source: Binary string: devco n.pdbo source: 99.exe
Source: Binary string: wntdll.pdbUGP source: 99.exe, 00000000.00000003.2176501070.0000000002668000.00000004.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000002.3436711771.0000000002812000.00000040.00000020.00020000.00000000.sdmp, 709f3c.tmp.0.dr
Source: Binary string: wntdll.pdb source: 99.exe, 00000000.00000003.2176501070.0000000002668000.00000004.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000002.3436711771.0000000002812000.00000040.00000020.00020000.00000000.sdmp, 709f3c.tmp.0.dr
Source: Binary string: wuser32.pdb source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp, 709faa.tmp.0.dr
Source: Binary string: DrvInDM U.pdbe source: 99.exe
Source: Binary string: wuser32.pdbUGP source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp, 709faa.tmp.0.dr
Source: Binary string: devc@on.pdb source: 99.exe

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\99.exe Unpacked PE file: 0.2.99.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004C0410 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_004C0410
Source: 709f3c.tmp.0.dr Static PE information: section name: RT
Source: 709f3c.tmp.0.dr Static PE information: section name: .mrdata
Source: 709f3c.tmp.0.dr Static PE information: section name: .00cfg
Source: 709faa.tmp.0.dr Static PE information: section name: .didat
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0052D0F4 push eax; ret 0_2_0052D112
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0040AAA8 push es; retf 0009h 0_2_0040AAA9
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0040AB5D push eax; retf 0060h 0_2_0040AB63
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0052AD60 push eax; ret 0_2_0052AD8E
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
Source: 709f3c.tmp.0.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: C:\Users\user\Desktop\99.exe File created: C:\Users\user\AppData\Local\Temp\709faa.tmp Jump to dropped file
Source: C:\Users\user\Desktop\99.exe File created: C:\Users\user\AppData\Local\Temp\709f3c.tmp Jump to dropped file
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00528D93 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00528D93
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits, 0_2_1001F2ED
Source: C:\Users\user\Desktop\99.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\99.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\99.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\99.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00421D8D rdtsc 0_2_00421D8D
Source: C:\Users\user\Desktop\99.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\709faa.tmp Jump to dropped file
Source: C:\Users\user\Desktop\99.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\709f3c.tmp Jump to dropped file
Source: C:\Users\user\Desktop\99.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0053C235 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_0053C235
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0041C420 GetSystemInfo, 0_2_0041C420
Source: 99.exe, 00000000.00000002.3436030706.00000000009BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\99.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\99.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00421D8D rdtsc 0_2_00421D8D
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_10004B1B LdrInitializeThunk, 0_2_10004B1B
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004C0410 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_004C0410
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0042025F mov ebx, dword ptr fs:[00000030h] 0_2_0042025F
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004159DC mov ebx, dword ptr fs:[00000030h] 0_2_004159DC
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0041CB04 mov eax, dword ptr fs:[00000030h] 0_2_0041CB04
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_00416E5A mov ebx, dword ptr fs:[00000030h] 0_2_00416E5A
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h] 0_2_1001A4C7
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h] 0_2_1000AE99
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_004AD790 GetProcessHeap,RtlAllocateHeap, 0_2_004AD790
Source: C:\Users\user\Desktop\99.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\99.exe Process token adjusted: Debug Jump to behavior
Source: 99.exe Binary or memory string: Shell_TrayWnd
Source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000002.3436030706.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: 99.exe Binary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32
Source: 99.exe, 00000000.00000002.3436899930.00000000029CA000.00000040.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000002.3436030706.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, 99.exe, 00000000.00000003.2177302523.000000000266D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0042E43B cpuid 0_2_0042E43B
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0052C1C0 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0052C1C0
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0052C1C0 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_0052C1C0
Source: C:\Users\user\Desktop\99.exe Code function: 0_2_0053E089 __EH_prolog,GetVersion, 0_2_0053E089
No contacted IP infos