Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561199
MD5:	11c8962675b6d535c018a63be0821e4c
SHA1:	a150fa871e10919a1d626ffe37b1a400142f452b
SHA256:	421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273
Tags:	exeuser-Bitsight

Detection

Score:	20
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to infect the boot sector

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to read device registry values (via SetupAPI)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Queries device information via Setup API

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A1E0 ??0QByteArray@@QAE@PBDH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@ABV2@W4Algorithm@1@@Z,?qFree@@YAXPAX@Z,?at@QByteArray@@QBE?BDH@Z,?qFree@@YAXPAX@Z,?qFree@@YAXPAX@Z,	0_2_00B8A1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2C5A0 CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,wprintf,CryptMsgGetParam,GetLastError,wprintf,	0_2_00B2C5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2C6A0 lstrcmpA,CryptDecodeObject,GetLastError,wprintf,LocalAlloc,wprintf,CryptDecodeObject,	0_2_00B2C6A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2CA10 lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,wprintf,CryptDecodeObject,GetLastError,wprintf,CertFindCertificateInStore,GetLastError,wprintf,LocalAlloc,CertGetNameStringW,CertGetNameStringW,wprintf,LocalAlloc,wprintf,CertGetNameStringW,CertGetNameStringW,LocalAlloc,wprintf,CertGetNameStringW,	0_2_00B2CA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2CE70 lstrcmpA,CryptDecodeObject,GetLastError,wprintf,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00B2CE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B54E50 ??0QFile@@QAE@ABVQString@@@Z,?size@QFile@@UBE_JXZ,?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z,??0QCryptographicHash@@QAE@W4Algorithm@0@@Z,?read@QIODevice@@QAE_JPAD_J@Z,?addData@QCryptographicHash@@QAEXPBDH@Z,?close@QFile@@UAEXXZ,?result@QCryptographicHash@@QBE?AVQByteArray@@XZ,?toHex@QByteArray@@QBE?AV1@XZ,??0QString@@QAE@ABVQByteArray@@@Z,??1QByteArray@@QAE@XZ,??1QByteArray@@QAE@XZ,??1QCryptographicHash@@QAE@XZ,??1QFile@@UAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@XZ,??1QFile@@UAE@XZ,??1QString@@QAE@XZ,	0_2_00B54E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B91010 ??0QByteArray@@QAE@PBDH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@ABV2@W4Algorithm@1@@Z,?qFree@@YAXPAX@Z,?at@QByteArray@@QBE?BDH@Z,?qFree@@YAXPAX@Z,?qFree@@YAXPAX@Z,	0_2_00B91010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D339 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertCloseStore,CryptMsgClose,	0_2_00B2D339
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9B7FF ??1QCryptographicHash@@QAE@XZ,	0_2_00B9B7FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B69710 ?instance@QCoreApplication@@SAPAV1@XZ,?applicationFilePath@QCoreApplication@@SA?AVQString@@XZ,??0QFile@@QAE@ABVQString@@@Z,??1QString@@QAE@XZ,?size@QFile@@UBE_JXZ,?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z,?map@QFile@@QAEPAE_J0W4MemoryMapFlags@1@@Z,??0QByteArray@@QAE@PBDH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@ABV2@W4Algorithm@1@@Z,??1QByteArray@@QAE@XZ,?unmap@QFile@@QAE_NPAE@Z,?close@QFile@@UAEXXZ,?toHex@QByteArray@@QBE?AV1@XZ,??0QString@@QAE@ABVQByteArray@@@Z,_DebugHeapAllocator,??1QString@@QAE@XZ,??1QByteArray@@QAE@XZ,?number@QString@@SA?AV1@HH@Z,_DebugHeapAllocator,??1QString@@QAE@XZ,_DebugHeapAllocator,??1QByteArray@@QAE@XZ,??1QFile@@UAE@XZ,	0_2_00B69710

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: file.exe
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: file.exe

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B623B0 memset,?winId@QWidget@@QBEPAUHWND__@@XZ,RegisterDeviceNotificationW,?qDebug@@YA?AVQDebug@@XZ,??6QDebug@@QAEAAV0@PBD@Z,??1QDebug@@QAE@XZ,

0_2_00B623B0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5CCA0 memset,GetLogicalDriveStringsW,CreateFileW,DeviceIoControl,GetDriveTypeW,GetVolumeInformationW,CloseHandle,CloseHandle,wcslen,GetVolumeInformationW,_DebugHeapAllocator,_DebugHeapAllocator,

0_2_00B5CCA0

Source: file.exe	String found in binary or memory: http://b.chenall.net/menu.lst
Source: file.exe	String found in binary or memory: http://bug.reneelab.com
Source: file.exe	String found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: file.exe	String found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: file.exe	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: file.exe	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: file.exe	String found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: file.exe	String found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.google-analytics.com/collect
Source: file.exe	String found in binary or memory: http://www.reneelab.biz/
Source: file.exe	String found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: file.exe	String found in binary or memory: http://www.reneelab.cc/
Source: file.exe	String found in binary or memory: http://www.reneelab.com.cn/
Source: file.exe	String found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: file.exe	String found in binary or memory: http://www.reneelab.com/
Source: file.exe	String found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: file.exe	String found in binary or memory: http://www.reneelab.de/
Source: file.exe	String found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: file.exe	String found in binary or memory: http://www.reneelab.es/
Source: file.exe	String found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: file.exe	String found in binary or memory: http://www.reneelab.fr/
Source: file.exe	String found in binary or memory: http://www.reneelab.it/
Source: file.exe	String found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: file.exe	String found in binary or memory: http://www.reneelab.jp/
Source: file.exe	String found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: file.exe	String found in binary or memory: http://www.reneelab.kr/
Source: file.exe	String found in binary or memory: http://www.reneelab.net/
Source: file.exe	String found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: file.exe	String found in binary or memory: http://www.reneelab.pl/
Source: file.exe	String found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: file.exe	String found in binary or memory: http://www.reneelab.ru/
Source: file.exe	String found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: file.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe	String found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: file.exe	String found in binary or memory: https://www.reneelab.com
Source: file.exe	String found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5CCA0: memset,GetLogicalDriveStringsW,CreateFileW,DeviceIoControl,GetDriveTypeW,GetVolumeInformationW,CloseHandle,CloseHandle,wcslen,GetVolumeInformationW,_DebugHeapAllocator,_DebugHeapAllocator,

0_2_00B5CCA0

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8C3E0	0_2_00B8C3E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B86370	0_2_00B86370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2468E	0_2_00B2468E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B266E0	0_2_00B266E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90620	0_2_00B90620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24610	0_2_00B24610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B907A0	0_2_00B907A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24A10	0_2_00B24A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24BC0	0_2_00B24BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92D20	0_2_00B92D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B28D70	0_2_00B28D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B26ED0	0_2_00B26ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24F30	0_2_00B24F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B873F0	0_2_00B873F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8B7B0	0_2_00B8B7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B877E0	0_2_00B877E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B258E0	0_2_00B258E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B898E0	0_2_00B898E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B21A80	0_2_00B21A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B25BE0	0_2_00B25BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87B20	0_2_00B87B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B23D60	0_2_00B23D60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B953BE appears 311 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B6C2D0 appears 71 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.3327514456.0000000001128000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRescueCDBurner.exe< vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameRescueCDBurner.exe< vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus20.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6A2B0 ?tempPath@QDir@@SA?AVQString@@XZ,??1QString@@QAE@XZ,?mid@QString@@QBE?AV1@HH@Z,memset,?utf16@QString@@QBEPBGXZ,GetVolumeInformationW,?fromUtf16@QString@@SA?AV1@PBGH@Z,??0QString@@QAE@PBD@Z,?contains@QString@@QBE?AVQBool@@ABV1@W4CaseSensitivity@Qt@@@Z,??1QString@@QAE@XZ,??0QString@@QAE@XZ,GetLogicalDrives,??0QChar@@QAE@UQLatin1Char@@@Z,??0QString@@QAE@PBD@Z,?arg@QString@@QBE?AV1@DHABVQChar@@@Z,??4QString@@QAEAAV0@$$QAV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,?utf16@QString@@QBEPBGXZ,GetVolumeInformationW,?fromUtf16@QString@@SA?AV1@PBGH@Z,??4QString@@QAEAAV0@$$QAV0@@Z,??1QString@@QAE@XZ,?utf16@QString@@QBEPBGXZ,GetDriveTypeW,??0QString@@QAE@PBD@Z,?contains@QString@@QBE?AVQBool@@ABV1@W4CaseSensitivity@Qt@@@Z,??1QString@@QAE@XZ,?utf16@QString@@QBEPBGXZ,GetDiskFreeSpaceExW,??4QString@@QAEAAV0@ABV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@ABV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,

0_2_00B6A2B0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80190 CloseHandle,CreateToolhelp32Snapshot,

0_2_00B80190

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: :/Resources/Loading.png
Source: file.exe	String found in binary or memory: :/Resources/Loading.png
Source: file.exe	String found in binary or memory: <GMozilla/5.0 () GAnalytics/1.0 (Qt/4.8.5 )Windows; _-en%1 TB%1 GB%1 MB%1 KB%1 bytes%1:%2:%3An Error has been detected. Reason : ar<font size='%1'>%2</font><font size='%1'>%2</font>Error! Please note: ar<font size='%1'>%2</font><font size='%1'>%2</font>Note! ar<font size='%1'>%2</font><font size='%1'>%2</font><font size='%1'>%2</font>Note! ar<font size='%1'>%2</font>arNote! Please note: <font size='%1'>%2</font><font size='%1'>%2</font>Warning! :/Resources/Loading.pngPSW_RENEELB_WINx86_20201003
Source: file.exe	String found in binary or memory: nDas Erstellen von EFI-Startdateien ist fehlgeschlagen.
Source: file.exe	String found in binary or memory: --stop=
Source: file.exe	String found in binary or memory: --start
Source: file.exe	String found in binary or memory: %.s--all%-.*s%s:--unit=--speed=--port=--word=--stop=--parity=nooddeven$1$./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz%.30sEncrypted: %s
Source: file.exe	String found in binary or memory: --play=--start--mid--end--nowait--offset=--fill-color=--animated=-1 %d %d %ld (HEX:0x%lX)
Source: file.exe	String found in binary or memory: --help=
Source: file.exe	String found in binary or memory: --help=
Source: file.exe	String found in binary or memory: --add-mbt=0 %s --heads=%d --sectors-per-track=%d (md)0x%lX+0x%lX (0x%X)
Source: file.exe	String found in binary or memory: --add-mbt=
Source: file.exe	String found in binary or memory: --string=date&time--draw-box=--u--ver-on--ver-off--lang=en--lang=zh--left-align--right-align--middle-align--triangle-on--triangle-off--highlight-short--highlight-full--keyhelp-on--keyhelp-off--box--auto-num-all-on--auto-num-on--auto-num-off--keyhelp=--help=--graphic-entry=--type=netbsdfreebsdopenbsdbiglinuxmultiboot--no-mem-option%s%s-P:-h 0 1 2 3 4 5 6 7-L-0 1 2 3 4 5 6 7 L -n-e-v-rrggbbPlease use in VBE mode.0x%06x--hex=--length=--locate=--locatei=--replace=--locate-align=--number=()+1Filesize is 0x%lX
Source: file.exe	String found in binary or memory: --string=date&time--draw-box=--u--ver-on--ver-off--lang=en--lang=zh--left-align--right-align--middle-align--triangle-on--triangle-off--highlight-short--highlight-full--keyhelp-on--keyhelp-off--box--auto-num-all-on--auto-num-on--auto-num-off--keyhelp=--help=--graphic-entry=--type=netbsdfreebsdopenbsdbiglinuxmultiboot--no-mem-option%s%s-P:-h 0 1 2 3 4 5 6 7-L-0 1 2 3 4 5 6 7 L -n-e-v-rrggbbPlease use in VBE mode.0x%06x--hex=--length=--locate=--locatei=--replace=--locate-align=--number=()+1Filesize is 0x%lX
Source: file.exe	String found in binary or memory: --hook--unhook--unmap=(0x%X) (0x%X)--rehook--add-mbt=0 %s --heads=%d --sectors-per-track=%d (md)0x%lX+0x%lX (0x%X)Re-map the memdrive (0x%X):
Source: file.exe	String found in binary or memory: --mem=--mem--read-only--fake-write--unsafe-boot--disable-chs-mode--disable-lba-mode--in-place=--in-situ=--in-place--in-situ--heads=--sectors-per-track=--add-mbt=--skip-sectors=--max-sectors=--swap-drive=(0x%x) (0x%x)(%d)+1(%d)%ld+%ldFor mem file in emulation, you should not specify sector_count to 1.
Source: file.exe	String found in binary or memory: --cursor-address=
Source: file.exe	String found in binary or memory: beep [--start\|--mid\|--end] [--play=N] [--nowait] FREQUENCY DURATION FREQUENCY DURATION ...
Source: file.exe	String found in binary or memory: The use of [--start\|--mid\|--end] specifies.
Source: file.exe	String found in binary or memory: [--parity=PARITY] [--stop=STOP] [--device=DEV]
Source: file.exe	String found in binary or memory: --help=X=W=Y
Source: file.exe	String found in binary or memory: --help=X=W=Y
Source: file.exe	String found in binary or memory: hotkey F2,control animation: play/stop.
Source: file.exe	String found in binary or memory: hotkey F2,control animation: play/stop.
Source: file.exe	String found in binary or memory: terminfo [--name=NAME --cursor-address=SEQ [--clear-screen=SEQ]
Source: file.exe	String found in binary or memory: msg=N,sets the message level: 0:off,1-3:on.JanFebMarAprMayJunJulAugSepOctNovDeccommand [--set-path=PATH\|--set-ext=EXTENSIONS] FILE [ARGS]Run executable file FILE with arguments ARGS.--set-path sets a search PATH for executable files,default is (bd)/boot/grub.--set-ext sets default extensions for executable files.TextCGA graphicsHercules graphicsPlanarPacked pixelNon-chain 4, 256 colorDirect ColorYUV--name=--cursor-address=--clear-screen=--enter-standout-mode=--exit-standout-mode=escapeexclamnumbersigndollarpercentcaretampersandasteriskparenleftparenrightunderscoreplusctrlbackspacetabQWYUIOPbraceleftbracerightHJLdoublequotetildebarZlessgreaterquestionhomeuparrowpageupleftarrowcenterrightarrowdownarrowpagedowninsertdeleteshiftF1shiftF2shiftF3shiftF4shiftF5shiftF6shiftF7shiftF8shiftF9shiftF10ctrlF1ctrlF2ctrlF3ctrlF4ctrlF5ctrlF6ctrlF7ctrlF8ctrlF9ctrlF10AqAwAeArAtAyAuAiAoApAaAsAdAfAgAhAjAkAlAzAxAcAvAbAnAmA1A2A3A4A5A6A7A8A9A0shiftoem102AminusAequalAbracketleftAbracketrightAsemicolonAquoteAbackquoteAbackslashAcommaAperiodAslashblackbrownlight-graydark-graylight-bluelight-greenlight-cyanlight-redlight-magentayellowwhitebackgroundbackground RRGGBBSets the background color when in graphics mode.RR is red, GG is green, and BB blue. Numbers must be in hexadecimal.beepbeep [--start\|--mid\|--end] [--play=N] [--nowait] FREQUENCY DURATION FREQUENCY DURATION ...FREQUENCY: Hz. DURATION: ms. Max: 126 notes.
Source: file.exe	String found in binary or memory: msg=N,sets the message level: 0:off,1-3:on.JanFebMarAprMayJunJulAugSepOctNovDeccommand [--set-path=PATH\|--set-ext=EXTENSIONS] FILE [ARGS]Run executable file FILE with arguments ARGS.--set-path sets a search PATH for executable files,default is (bd)/boot/grub.--set-ext sets default extensions for executable files.TextCGA graphicsHercules graphicsPlanarPacked pixelNon-chain 4, 256 colorDirect ColorYUV--name=--cursor-address=--clear-screen=--enter-standout-mode=--exit-standout-mode=escapeexclamnumbersigndollarpercentcaretampersandasteriskparenleftparenrightunderscoreplusctrlbackspacetabQWYUIOPbraceleftbracerightHJLdoublequotetildebarZlessgreaterquestionhomeuparrowpageupleftarrowcenterrightarrowdownarrowpagedowninsertdeleteshiftF1shiftF2shiftF3shiftF4shiftF5shiftF6shiftF7shiftF8shiftF9shiftF10ctrlF1ctrlF2ctrlF3ctrlF4ctrlF5ctrlF6ctrlF7ctrlF8ctrlF9ctrlF10AqAwAeArAtAyAuAiAoApAaAsAdAfAgAhAjAkAlAzAxAcAvAbAnAmA1A2A3A4A5A6A7A8A9A0shiftoem102AminusAequalAbracketleftAbracketrightAsemicolonAquoteAbackquoteAbackslashAcommaAperiodAslashblackbrownlight-graydark-graylight-bluelight-greenlight-cyanlight-redlight-magentayellowwhitebackgroundbackground RRGGBBSets the background color when in graphics mode.RR is red, GG is green, and BB blue. Numbers must be in hexadecimal.beepbeep [--start\|--mid\|--end] [--play=N] [--nowait] FREQUENCY DURATION FREQUENCY DURATION ...FREQUENCY: Hz. DURATION: ms. Max: 126 notes.
Source: file.exe	String found in binary or memory: The use of [--start\|--mid\|--end] specifies.blocklist FILEPrint the blocklist notation of the file FILE.boot [-1]Boot the OS/chain-loader which has been loaded.with option "-1" will boot to local via INT 18.calccalc [INTEGER=] []INTEGER OPERATOR [[*]INTEGER]GRUB4DOS Simple Calculator.
Source: file.exe	String found in binary or memory: [--parity=PARITY] [--stop=STOP] [--device=DEV]Initialize a serial device. UNIT is a digit that specifies which serial device is used (e.g. 0 == COM1). If you need to specify the port number, set it by --port. SPEED is the DTE-DTE speed. WORD is the word length, PARITY is the type of parity, which is one of `no', `odd' and `even'. STOP is the length of stop bit(s). The option --device can be used only in the grub shell, which specifies the file name of a tty device. The default values are COM1, 9600, 8N1.set [/p] [/a\|/A] [/l\|/u] [VARIABLE=[STRING]]/p,Get a line of input;l\|/u,lower/upper case;/a\|/A,numerical expression that is evaluated(use calc)./a,set value to a Decimal;/A to a HEX.setkeysetkey [NEW_KEY USA_KEY]Map default USA_KEY to NEW_KEY. Key names: 0-9, A-Z, a-z or escape, exclam, at, numbersign, dollar, percent, caret, ampersand, asterisk, parenleft, parenright, minus, underscore, equal, plus, backspace, tab, bracketleft, braceleft, bracketright, braceright, enter, semicolon, colon, quote, doublequote, backquote, tilde, backslash, bar, comma, less, period, greater, slash, question, alt, space, delete, oem102, shiftoem102, [ctrl\|shift]F1-10. For Alt+ prefix with A, e.g. 'setkey at Aequal'. Use 'setkey at at' to reset one key, 'setkey' to reset all keys.setlocalsetmenusetmenu --parameter \| --parameter \| ... --ver-on* --ver-off --lang=en* --lang=zh --u (clear all)
Source: file.exe	String found in binary or memory: [--lines=LINES] [--silent] [console] [serial] [hercules] [graphics]Select a terminal. When multiple terminals are specified, wait until you push any key to continue. If both console and serial are specified, the terminal to which you input a key first will be selected. If no argument is specified, print current setting. The option --dumb specifies that your terminal is dumb, otherwise, vt100-compatibility is assumed. If you specify --no-echo, input characters won't be echoed. If you specify --no-edit, the BASH-like editing feature will be disabled. If --timeout is present, this command will wait at most for SECS seconds. The option --lines specifies the maximum number of lines. The option --silent is used to suppress messages.terminfoterminfo [--name=NAME --cursor-address=SEQ [--clear-screen=SEQ]
Source: file.exe	String found in binary or memory: --help,-hDisplay this message and exit
Source: file.exe	String found in binary or memory: --help,-hDisplay this message and exit
Source: file.exe	String found in binary or memory: --help
Source: file.exe	String found in binary or memory: --help
Source: file.exe	String found in binary or memory: s@6s@check fail at sector %dinvalid option %s for savenot enough space for file listinvalid option %s for create--help-h--version-V1.6%s version : %s build %d
Source: file.exe	String found in binary or memory: s@6s@check fail at sector %dinvalid option %s for savenot enough space for file listinvalid option %s for create--help-h--version-V1.6%s version : %s build %d
Source: file.exe	String found in binary or memory: -help
Source: file.exe	String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be specifiedThere is no second file name for rename pair:Unsupported rename command:-r0-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static file information: File size 6487736 > 1048576

Source: file.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x57ee00

Source: file.exe	Static PE information: More than 200 imports for QtCore4.dll
Source: file.exe	Static PE information: More than 200 imports for QtGui4.dll

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: file.exe
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7DDB0 LoadLibraryW,GetProcAddress,VirtualProtect,VirtualProtect,GetCurrentProcess,WriteProcessMemory,VirtualProtect,

0_2_00B7DDB0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B95C45 push ecx; ret

0_2_00B95C58

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\file.exe	Code function: ?append@QString@@QAEAAV1@ABV1@@Z,?fromAscii_helper@QString@@CAPAUData@1@PBDH@Z,memset,CreateFileW,memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,malloc,memset,MultiByteToWideChar,??2@YAPAXI@Z,DeviceIoControl,??2@YAPAXI@Z,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,CloseHandle,DeviceIoControl,CreateFileW,DeviceIoControl,memset,DeviceIoControl,CloseHandle,DeviceIoControl,GetDiskFreeSpaceExW,malloc,malloc,memset,malloc,GetVolumeInformationW,malloc,memset,malloc,memset,CloseHandle,DeviceIoControl, \\.\PhysicalDrive%d		0_2_00B92D20
Source: C:\Users\user\Desktop\file.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,CloseHandle,CreateFileW,GetLastError,??2@YAPAXI@Z,memset,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,??3@YAXPAX@Z, \\.\PhysicalDrive%d		0_2_00B43D30

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\file.exe	Code function: ?append@QString@@QAEAAV1@ABV1@@Z,?fromAscii_helper@QString@@CAPAUData@1@PBDH@Z,memset,CreateFileW,memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,malloc,memset,MultiByteToWideChar,??2@YAPAXI@Z,DeviceIoControl,??2@YAPAXI@Z,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,CloseHandle,DeviceIoControl,CreateFileW,DeviceIoControl,memset,DeviceIoControl,CloseHandle,DeviceIoControl,GetDiskFreeSpaceExW,malloc,malloc,memset,malloc,GetVolumeInformationW,malloc,memset,malloc,memset,CloseHandle,DeviceIoControl, \\.\PhysicalDrive%d		0_2_00B92D20
Source: C:\Users\user\Desktop\file.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,CloseHandle,CreateFileW,GetLastError,??2@YAPAXI@Z,memset,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,??3@YAXPAX@Z, \\.\PhysicalDrive%d		0_2_00B43D30

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80580 VirtualQuery,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,CloseHandle,

0_2_00B80580

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5CFC0 SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcscmp,memset,SetupDiGetDeviceRegistryPropertyW,wprintf,SetupDiEnumDeviceInterfaces,GetLastError,

0_2_00B5CFC0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

0_2_00B5CCA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B92750 memset,GetVersionExW,?fromAscii_helper@QString@@CAPAUData@1@PBDH@Z,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetSystemInfo,?append@QString@@QAEAAV1@ABV1@@Z,GetModuleHandleW,GetProcAddress,GetSystemMetrics,printf,

0_2_00B92750

Source: file.exe	Binary or memory string: VMware
Source: file.exe	Binary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B953AE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00B953AE

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80580 VirtualQuery,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,CloseHandle,

0_2_00B80580

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7DDB0 LoadLibraryW,GetProcAddress,VirtualProtect,VirtualProtect,GetCurrentProcess,WriteProcessMemory,VirtualProtect,

0_2_00B7DDB0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B656F0 ?currentIndex@QComboBox@@QBEHXZ,?count@QComboBox@@QBEHXZ,??0QString@@QAE@PBD@Z,??0QString@@QAE@ABV0@@Z,??1QString@@QAE@XZ,?isChecked@QAbstractButton@@QBE_NXZ,??0QFileInfo@@QAE@ABVQString@@@Z,?exists@QFileInfo@@QBE_NXZ,??1QString@@QAE@XZ,??1QFileInfo@@QAE@XZ,??1QString@@QAE@XZ,?size@QFileInfo@@QBE_JXZ,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,??1QFileInfo@@QAE@XZ,??1QString@@QAE@XZ,?itemData@QComboBox@@QBE?AVQVariant@@HH@Z,?toString@QVariant@@QBE?AVQString@@XZ,??1QVariant@@QAE@XZ,??0QString@@QAE@PBD@Z,memset,memset,memset,?toWCharArray@QString@@QBEHPAG@Z,??1QString@@QAE@XZ,?toWCharArray@QString@@QBEHPAG@Z,GetVolumeNameForVolumeMountPointW,?fromWCharArray@QString@@SA?AV1@PBGH@Z,?length@QString@@QBEHXZ,?left@QString@@QBE?AV1@H@Z,??4QString@@QAEAAV0@$$QAV0@@Z,??1QString@@QAE@XZ,memset,?toWCharArray@QString@@QBEHPAG@Z,CreateFileW,??0QChar@@QAE@UQLatin1Char@@@Z,?arg@QString@@QBE?AV1@ABV1@HABVQChar@@@Z,??1QString@@QAE@XZ,??0QString@@QAE@ABV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QFileInfo@@QAE@XZ,??1QString@@QAE@XZ,DeleteVolumeMountPointW,DeviceIoControl,Sleep,?instance@QCoreApplication@@SAPAV1@XZ,?processEvents@QCoreApplication@@SAXV?$QFlags@W4ProcessEventsFlag@QEventLoop@@@@@Z,GetProcessHeap,HeapAlloc,memset,??0QString@@QAE@PBD@Z,??0QString@@QAE@PBD@Z,?instance@QCoreApplication@@SAPAV1@XZ,?processEvents@QCoreApplication@@SAXV?$QFlags@W4ProcessEventsFlag@QEventLoop@@@@@Z,WriteFile,??0QChar@@QAE@UQLatin1Char@@@Z,??0QChar@@QAE@UQLatin1Char@@@Z,GetLastError,?arg@QString@@QBE?AV1@HHHABVQChar@@@Z,?arg@QString@@QBE?AV1@KHHABVQChar@@@Z,??4QString@@QAEAAV0@$$QAV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,SetFilePointer,ReadFile,??0QChar@@QAE@UQLatin1Char@@@Z,??0QChar@@QAE@UQLatin1Char@@@Z,GetLastError,?arg@QString@@QBE?AV1@HHHABVQChar@@@Z,?arg@QString@@QBE?AV1@KHHABVQChar@@@Z,??4QString@@QAEAAV0@$$QAV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,GetProcessHeap,HeapFree,CloseHandle,??0QString@@QAE@ABV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QFileInfo@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@XZ,??0QString@@QAE@PBD@Z,??0QChar@@QAE@UQLatin1Char@@@Z,??0QChar@@QAE@UQLatin1Char@@@Z,??0QString@@QAE@PBD@Z,?arg@QString@@QBE?AV1@ABV1@HABVQChar@@@Z,?arg@QString@@QBE?AV1@HHHABVQChar@@@Z,??0QString@@QAE@ABV0@@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@PBD@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@ABV0@@Z,??0QString@@QAE@PBD@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QFileInfo@@QAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@PBD@Z,??0QChar@@QAE@UQLatin1Char@@@Z,??0QString@@QAE@PBD@Z,?arg@QString@@QBE?AV1@ABV1@HABVQChar@@@Z,??0QString@@QAE@ABV0@@Z,??1QString@@QAE@XZ,??0QString@@QAE@PBD@Z,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QString@@QAE@XZ,??1QFileInfo@@QAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@PBD@Z,??0QChar@@QAE@UQ

0_2_00B656F0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7E590 memset,GetVersionExW,??4QString@@QAEAAV0@ABV0@@Z,SetUnhandledExceptionFilter,?free@QString@@CAXPAUData@1@@Z,	0_2_00B7E590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B953AE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	0_2_00B953AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B95D6E SetUnhandledExceptionFilter,	0_2_00B95D6E

Queries device information via Setup API

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5CFC0 SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcscmp,memset,SetupDiGetDeviceRegistryPropertyW,wprintf,SetupDiEnumDeviceInterfaces,GetLastError,

0_2_00B5CFC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B2C230 GetLocalTime,

0_2_00B2C230

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7E590 memset,GetVersionExW,??4QString@@QAEAAV0@ABV0@@Z,SetUnhandledExceptionFilter,?free@QString@@CAXPAUData@1@@Z,

0_2_00B7E590

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A1E0 ??0QByteArray@@QAE@PBDH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@ABV2@W4Algorithm@1@@Z,?qFree@@YAXPAX@Z,?at@QByteArray@@QBE?BDH@Z,?qFree@@YAXPAX@Z,?qFree@@YAXPAX@Z,	0_2_00B8A1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2C5A0 CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,wprintf,CryptMsgGetParam,GetLastError,wprintf,	0_2_00B2C5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2C6A0 lstrcmpA,CryptDecodeObject,GetLastError,wprintf,LocalAlloc,wprintf,CryptDecodeObject,	0_2_00B2C6A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2CA10 lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,wprintf,CryptDecodeObject,GetLastError,wprintf,CertFindCertificateInStore,GetLastError,wprintf,LocalAlloc,CertGetNameStringW,CertGetNameStringW,wprintf,LocalAlloc,wprintf,CertGetNameStringW,CertGetNameStringW,LocalAlloc,wprintf,CertGetNameStringW,	0_2_00B2CA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2CE70 lstrcmpA,CryptDecodeObject,GetLastError,wprintf,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00B2CE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B54E50 ??0QFile@@QAE@ABVQString@@@Z,?size@QFile@@UBE_JXZ,?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z,??0QCryptographicHash@@QAE@W4Algorithm@0@@Z,?read@QIODevice@@QAE_JPAD_J@Z,?addData@QCryptographicHash@@QAEXPBDH@Z,?close@QFile@@UAEXXZ,?result@QCryptographicHash@@QBE?AVQByteArray@@XZ,?toHex@QByteArray@@QBE?AV1@XZ,??0QString@@QAE@ABVQByteArray@@@Z,??1QByteArray@@QAE@XZ,??1QByteArray@@QAE@XZ,??1QCryptographicHash@@QAE@XZ,??1QFile@@UAE@XZ,??1QString@@QAE@XZ,??0QString@@QAE@XZ,??1QFile@@UAE@XZ,??1QString@@QAE@XZ,	0_2_00B54E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B91010 ??0QByteArray@@QAE@PBDH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@ABV2@W4Algorithm@1@@Z,?qFree@@YAXPAX@Z,?at@QByteArray@@QBE?BDH@Z,?qFree@@YAXPAX@Z,?qFree@@YAXPAX@Z,	0_2_00B91010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D339 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertCloseStore,CryptMsgClose,	0_2_00B2D339
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9B7FF ??1QCryptographicHash@@QAE@XZ,	0_2_00B9B7FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B69710 ?instance@QCoreApplication@@SAPAV1@XZ,?applicationFilePath@QCoreApplication@@SA?AVQString@@XZ,??0QFile@@QAE@ABVQString@@@Z,??1QString@@QAE@XZ,?size@QFile@@UBE_JXZ,?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z,?map@QFile@@QAEPAE_J0W4MemoryMapFlags@1@@Z,??0QByteArray@@QAE@PBDH@Z,?hash@QCryptographicHash@@SA?AVQByteArray@@ABV2@W4Algorithm@1@@Z,??1QByteArray@@QAE@XZ,?unmap@QFile@@QAE_NPAE@Z,?close@QFile@@UAEXXZ,?toHex@QByteArray@@QBE?AV1@XZ,??0QString@@QAE@ABVQByteArray@@@Z,_DebugHeapAllocator,??1QString@@QAE@XZ,??1QByteArray@@QAE@XZ,?number@QString@@SA?AV1@HH@Z,_DebugHeapAllocator,??1QString@@QAE@XZ,_DebugHeapAllocator,??1QByteArray@@QAE@XZ,??1QFile@@UAE@XZ,	0_2_00B69710

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: file.exe
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: file.exe

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B623B0 memset,?winId@QWidget@@QBEPAUHWND__@@XZ,RegisterDeviceNotificationW,?qDebug@@YA?AVQDebug@@XZ,??6QDebug@@QAEAAV0@PBD@Z,??1QDebug@@QAE@XZ,

0_2_00B623B0

Source: C:\Users\user\Desktop\file.exe

0_2_00B5CCA0

Source: file.exe	String found in binary or memory: http://b.chenall.net/menu.lst
Source: file.exe	String found in binary or memory: http://bug.reneelab.com
Source: file.exe	String found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: file.exe	String found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: file.exe	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: file.exe	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: file.exe	String found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: file.exe	String found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.google-analytics.com/collect
Source: file.exe	String found in binary or memory: http://www.reneelab.biz/
Source: file.exe	String found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: file.exe	String found in binary or memory: http://www.reneelab.cc/
Source: file.exe	String found in binary or memory: http://www.reneelab.com.cn/
Source: file.exe	String found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: file.exe	String found in binary or memory: http://www.reneelab.com/
Source: file.exe	String found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: file.exe	String found in binary or memory: http://www.reneelab.de/
Source: file.exe	String found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: file.exe	String found in binary or memory: http://www.reneelab.es/
Source: file.exe	String found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: file.exe	String found in binary or memory: http://www.reneelab.fr/
Source: file.exe	String found in binary or memory: http://www.reneelab.it/
Source: file.exe	String found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: file.exe	String found in binary or memory: http://www.reneelab.jp/
Source: file.exe	String found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: file.exe	String found in binary or memory: http://www.reneelab.kr/
Source: file.exe	String found in binary or memory: http://www.reneelab.net/
Source: file.exe	String found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: file.exe	String found in binary or memory: http://www.reneelab.pl/
Source: file.exe	String found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: file.exe	String found in binary or memory: http://www.reneelab.ru/
Source: file.exe	String found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: file.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe	String found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: file.exe	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: file.exe	String found in binary or memory: https://www.reneelab.com
Source: file.exe	String found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\file.exe

0_2_00B5CCA0

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8C3E0	0_2_00B8C3E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B86370	0_2_00B86370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2468E	0_2_00B2468E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B266E0	0_2_00B266E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90620	0_2_00B90620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24610	0_2_00B24610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B907A0	0_2_00B907A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24A10	0_2_00B24A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24BC0	0_2_00B24BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92D20	0_2_00B92D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B28D70	0_2_00B28D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B26ED0	0_2_00B26ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B24F30	0_2_00B24F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B873F0	0_2_00B873F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8B7B0	0_2_00B8B7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B877E0	0_2_00B877E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B258E0	0_2_00B258E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B898E0	0_2_00B898E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B21A80	0_2_00B21A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B25BE0	0_2_00B25BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87B20	0_2_00B87B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B23D60	0_2_00B23D60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B953BE appears 311 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B6C2D0 appears 71 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.3327514456.0000000001128000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRescueCDBurner.exe< vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000002.3327123911.0000000000BA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000000.2071308118.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameRescueCDBurner.exe< vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus20.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

0_2_00B6A2B0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80190 CloseHandle,CreateToolhelp32Snapshot,

0_2_00B80190

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: :/Resources/Loading.png
Source: file.exe	String found in binary or memory: :/Resources/Loading.png
Source: file.exe	String found in binary or memory: <GMozilla/5.0 () GAnalytics/1.0 (Qt/4.8.5 )Windows; _-en%1 TB%1 GB%1 MB%1 KB%1 bytes%1:%2:%3An Error has been detected. Reason : ar<font size='%1'>%2</font><font size='%1'>%2</font>Error! Please note: ar<font size='%1'>%2</font><font size='%1'>%2</font>Note! ar<font size='%1'>%2</font><font size='%1'>%2</font><font size='%1'>%2</font>Note! ar<font size='%1'>%2</font>arNote! Please note: <font size='%1'>%2</font><font size='%1'>%2</font>Warning! :/Resources/Loading.pngPSW_RENEELB_WINx86_20201003
Source: file.exe	String found in binary or memory: nDas Erstellen von EFI-Startdateien ist fehlgeschlagen.
Source: file.exe	String found in binary or memory: --stop=
Source: file.exe	String found in binary or memory: --start
Source: file.exe	String found in binary or memory: %.s--all%-.*s%s:--unit=--speed=--port=--word=--stop=--parity=nooddeven$1$./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz%.30sEncrypted: %s
Source: file.exe	String found in binary or memory: --play=--start--mid--end--nowait--offset=--fill-color=--animated=-1 %d %d %ld (HEX:0x%lX)
Source: file.exe	String found in binary or memory: --help=
Source: file.exe	String found in binary or memory: --help=
Source: file.exe	String found in binary or memory: --add-mbt=0 %s --heads=%d --sectors-per-track=%d (md)0x%lX+0x%lX (0x%X)
Source: file.exe	String found in binary or memory: --add-mbt=
Source: file.exe	String found in binary or memory: --string=date&time--draw-box=--u--ver-on--ver-off--lang=en--lang=zh--left-align--right-align--middle-align--triangle-on--triangle-off--highlight-short--highlight-full--keyhelp-on--keyhelp-off--box--auto-num-all-on--auto-num-on--auto-num-off--keyhelp=--help=--graphic-entry=--type=netbsdfreebsdopenbsdbiglinuxmultiboot--no-mem-option%s%s-P:-h 0 1 2 3 4 5 6 7-L-0 1 2 3 4 5 6 7 L -n-e-v-rrggbbPlease use in VBE mode.0x%06x--hex=--length=--locate=--locatei=--replace=--locate-align=--number=()+1Filesize is 0x%lX
Source: file.exe	String found in binary or memory: --string=date&time--draw-box=--u--ver-on--ver-off--lang=en--lang=zh--left-align--right-align--middle-align--triangle-on--triangle-off--highlight-short--highlight-full--keyhelp-on--keyhelp-off--box--auto-num-all-on--auto-num-on--auto-num-off--keyhelp=--help=--graphic-entry=--type=netbsdfreebsdopenbsdbiglinuxmultiboot--no-mem-option%s%s-P:-h 0 1 2 3 4 5 6 7-L-0 1 2 3 4 5 6 7 L -n-e-v-rrggbbPlease use in VBE mode.0x%06x--hex=--length=--locate=--locatei=--replace=--locate-align=--number=()+1Filesize is 0x%lX
Source: file.exe	String found in binary or memory: --hook--unhook--unmap=(0x%X) (0x%X)--rehook--add-mbt=0 %s --heads=%d --sectors-per-track=%d (md)0x%lX+0x%lX (0x%X)Re-map the memdrive (0x%X):
Source: file.exe	String found in binary or memory: --mem=--mem--read-only--fake-write--unsafe-boot--disable-chs-mode--disable-lba-mode--in-place=--in-situ=--in-place--in-situ--heads=--sectors-per-track=--add-mbt=--skip-sectors=--max-sectors=--swap-drive=(0x%x) (0x%x)(%d)+1(%d)%ld+%ldFor mem file in emulation, you should not specify sector_count to 1.
Source: file.exe	String found in binary or memory: --cursor-address=
Source: file.exe	String found in binary or memory: beep [--start\|--mid\|--end] [--play=N] [--nowait] FREQUENCY DURATION FREQUENCY DURATION ...
Source: file.exe	String found in binary or memory: The use of [--start\|--mid\|--end] specifies.
Source: file.exe	String found in binary or memory: [--parity=PARITY] [--stop=STOP] [--device=DEV]
Source: file.exe	String found in binary or memory: --help=X=W=Y
Source: file.exe	String found in binary or memory: --help=X=W=Y
Source: file.exe	String found in binary or memory: hotkey F2,control animation: play/stop.
Source: file.exe	String found in binary or memory: hotkey F2,control animation: play/stop.
Source: file.exe	String found in binary or memory: terminfo [--name=NAME --cursor-address=SEQ [--clear-screen=SEQ]
Source: file.exe	String found in binary or memory: msg=N,sets the message level: 0:off,1-3:on.JanFebMarAprMayJunJulAugSepOctNovDeccommand [--set-path=PATH\|--set-ext=EXTENSIONS] FILE [ARGS]Run executable file FILE with arguments ARGS.--set-path sets a search PATH for executable files,default is (bd)/boot/grub.--set-ext sets default extensions for executable files.TextCGA graphicsHercules graphicsPlanarPacked pixelNon-chain 4, 256 colorDirect ColorYUV--name=--cursor-address=--clear-screen=--enter-standout-mode=--exit-standout-mode=escapeexclamnumbersigndollarpercentcaretampersandasteriskparenleftparenrightunderscoreplusctrlbackspacetabQWYUIOPbraceleftbracerightHJLdoublequotetildebarZlessgreaterquestionhomeuparrowpageupleftarrowcenterrightarrowdownarrowpagedowninsertdeleteshiftF1shiftF2shiftF3shiftF4shiftF5shiftF6shiftF7shiftF8shiftF9shiftF10ctrlF1ctrlF2ctrlF3ctrlF4ctrlF5ctrlF6ctrlF7ctrlF8ctrlF9ctrlF10AqAwAeArAtAyAuAiAoApAaAsAdAfAgAhAjAkAlAzAxAcAvAbAnAmA1A2A3A4A5A6A7A8A9A0shiftoem102AminusAequalAbracketleftAbracketrightAsemicolonAquoteAbackquoteAbackslashAcommaAperiodAslashblackbrownlight-graydark-graylight-bluelight-greenlight-cyanlight-redlight-magentayellowwhitebackgroundbackground RRGGBBSets the background color when in graphics mode.RR is red, GG is green, and BB blue. Numbers must be in hexadecimal.beepbeep [--start\|--mid\|--end] [--play=N] [--nowait] FREQUENCY DURATION FREQUENCY DURATION ...FREQUENCY: Hz. DURATION: ms. Max: 126 notes.
Source: file.exe	String found in binary or memory: msg=N,sets the message level: 0:off,1-3:on.JanFebMarAprMayJunJulAugSepOctNovDeccommand [--set-path=PATH\|--set-ext=EXTENSIONS] FILE [ARGS]Run executable file FILE with arguments ARGS.--set-path sets a search PATH for executable files,default is (bd)/boot/grub.--set-ext sets default extensions for executable files.TextCGA graphicsHercules graphicsPlanarPacked pixelNon-chain 4, 256 colorDirect ColorYUV--name=--cursor-address=--clear-screen=--enter-standout-mode=--exit-standout-mode=escapeexclamnumbersigndollarpercentcaretampersandasteriskparenleftparenrightunderscoreplusctrlbackspacetabQWYUIOPbraceleftbracerightHJLdoublequotetildebarZlessgreaterquestionhomeuparrowpageupleftarrowcenterrightarrowdownarrowpagedowninsertdeleteshiftF1shiftF2shiftF3shiftF4shiftF5shiftF6shiftF7shiftF8shiftF9shiftF10ctrlF1ctrlF2ctrlF3ctrlF4ctrlF5ctrlF6ctrlF7ctrlF8ctrlF9ctrlF10AqAwAeArAtAyAuAiAoApAaAsAdAfAgAhAjAkAlAzAxAcAvAbAnAmA1A2A3A4A5A6A7A8A9A0shiftoem102AminusAequalAbracketleftAbracketrightAsemicolonAquoteAbackquoteAbackslashAcommaAperiodAslashblackbrownlight-graydark-graylight-bluelight-greenlight-cyanlight-redlight-magentayellowwhitebackgroundbackground RRGGBBSets the background color when in graphics mode.RR is red, GG is green, and BB blue. Numbers must be in hexadecimal.beepbeep [--start\|--mid\|--end] [--play=N] [--nowait] FREQUENCY DURATION FREQUENCY DURATION ...FREQUENCY: Hz. DURATION: ms. Max: 126 notes.
Source: file.exe	String found in binary or memory: The use of [--start\|--mid\|--end] specifies.blocklist FILEPrint the blocklist notation of the file FILE.boot [-1]Boot the OS/chain-loader which has been loaded.with option "-1" will boot to local via INT 18.calccalc [INTEGER=] []INTEGER OPERATOR [[*]INTEGER]GRUB4DOS Simple Calculator.
Source: file.exe	String found in binary or memory: [--parity=PARITY] [--stop=STOP] [--device=DEV]Initialize a serial device. UNIT is a digit that specifies which serial device is used (e.g. 0 == COM1). If you need to specify the port number, set it by --port. SPEED is the DTE-DTE speed. WORD is the word length, PARITY is the type of parity, which is one of `no', `odd' and `even'. STOP is the length of stop bit(s). The option --device can be used only in the grub shell, which specifies the file name of a tty device. The default values are COM1, 9600, 8N1.set [/p] [/a\|/A] [/l\|/u] [VARIABLE=[STRING]]/p,Get a line of input;l\|/u,lower/upper case;/a\|/A,numerical expression that is evaluated(use calc)./a,set value to a Decimal;/A to a HEX.setkeysetkey [NEW_KEY USA_KEY]Map default USA_KEY to NEW_KEY. Key names: 0-9, A-Z, a-z or escape, exclam, at, numbersign, dollar, percent, caret, ampersand, asterisk, parenleft, parenright, minus, underscore, equal, plus, backspace, tab, bracketleft, braceleft, bracketright, braceright, enter, semicolon, colon, quote, doublequote, backquote, tilde, backslash, bar, comma, less, period, greater, slash, question, alt, space, delete, oem102, shiftoem102, [ctrl\|shift]F1-10. For Alt+ prefix with A, e.g. 'setkey at Aequal'. Use 'setkey at at' to reset one key, 'setkey' to reset all keys.setlocalsetmenusetmenu --parameter \| --parameter \| ... --ver-on* --ver-off --lang=en* --lang=zh --u (clear all)
Source: file.exe	String found in binary or memory: [--lines=LINES] [--silent] [console] [serial] [hercules] [graphics]Select a terminal. When multiple terminals are specified, wait until you push any key to continue. If both console and serial are specified, the terminal to which you input a key first will be selected. If no argument is specified, print current setting. The option --dumb specifies that your terminal is dumb, otherwise, vt100-compatibility is assumed. If you specify --no-echo, input characters won't be echoed. If you specify --no-edit, the BASH-like editing feature will be disabled. If --timeout is present, this command will wait at most for SECS seconds. The option --lines specifies the maximum number of lines. The option --silent is used to suppress messages.terminfoterminfo [--name=NAME --cursor-address=SEQ [--clear-screen=SEQ]
Source: file.exe	String found in binary or memory: --help,-hDisplay this message and exit
Source: file.exe	String found in binary or memory: --help,-hDisplay this message and exit
Source: file.exe	String found in binary or memory: --help
Source: file.exe	String found in binary or memory: --help
Source: file.exe	String found in binary or memory: s@6s@check fail at sector %dinvalid option %s for savenot enough space for file listinvalid option %s for create--help-h--version-V1.6%s version : %s build %d
Source: file.exe	String found in binary or memory: s@6s@check fail at sector %dinvalid option %s for savenot enough space for file listinvalid option %s for create--help-h--version-V1.6%s version : %s build %d
Source: file.exe	String found in binary or memory: -help
Source: file.exe	String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be specifiedThere is no second file name for rename pair:Unsupported rename command:-r0-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior

Source: file.exe

Static PE information: certificate valid

Source: file.exe

Static file information: File size 6487736 > 1048576

Source: file.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x57ee00

Source: file.exe	Static PE information: More than 200 imports for QtCore4.dll
Source: file.exe	Static PE information: More than 200 imports for QtGui4.dll

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: file.exe
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7DDB0 LoadLibraryW,GetProcAddress,VirtualProtect,VirtualProtect,GetCurrentProcess,WriteProcessMemory,VirtualProtect,

0_2_00B7DDB0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B95C45 push ecx; ret

0_2_00B95C58

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\file.exe	Code function: ?append@QString@@QAEAAV1@ABV1@@Z,?fromAscii_helper@QString@@CAPAUData@1@PBDH@Z,memset,CreateFileW,memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,malloc,memset,MultiByteToWideChar,??2@YAPAXI@Z,DeviceIoControl,??2@YAPAXI@Z,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,CloseHandle,DeviceIoControl,CreateFileW,DeviceIoControl,memset,DeviceIoControl,CloseHandle,DeviceIoControl,GetDiskFreeSpaceExW,malloc,malloc,memset,malloc,GetVolumeInformationW,malloc,memset,malloc,memset,CloseHandle,DeviceIoControl, \\.\PhysicalDrive%d		0_2_00B92D20
Source: C:\Users\user\Desktop\file.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,CloseHandle,CreateFileW,GetLastError,??2@YAPAXI@Z,memset,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,??3@YAXPAX@Z, \\.\PhysicalDrive%d		0_2_00B43D30

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\file.exe	Code function: ?append@QString@@QAEAAV1@ABV1@@Z,?fromAscii_helper@QString@@CAPAUData@1@PBDH@Z,memset,CreateFileW,memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,malloc,memset,MultiByteToWideChar,??2@YAPAXI@Z,DeviceIoControl,??2@YAPAXI@Z,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,CloseHandle,DeviceIoControl,CreateFileW,DeviceIoControl,memset,DeviceIoControl,CloseHandle,DeviceIoControl,GetDiskFreeSpaceExW,malloc,malloc,memset,malloc,GetVolumeInformationW,malloc,memset,malloc,memset,CloseHandle,DeviceIoControl, \\.\PhysicalDrive%d		0_2_00B92D20
Source: C:\Users\user\Desktop\file.exe	Code function: CreateFileW,GetLastError,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,CloseHandle,CreateFileW,GetLastError,??2@YAPAXI@Z,memset,DeviceIoControl,CloseHandle,GetLastError,CloseHandle,??3@YAXPAX@Z, \\.\PhysicalDrive%d		0_2_00B43D30

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80580 VirtualQuery,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,CloseHandle,

0_2_00B80580

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5CFC0 SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcscmp,memset,SetupDiGetDeviceRegistryPropertyW,wprintf,SetupDiEnumDeviceInterfaces,GetLastError,

0_2_00B5CFC0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

0_2_00B5CCA0

Source: C:\Users\user\Desktop\file.exe

0_2_00B92750

Source: file.exe	Binary or memory string: VMware
Source: file.exe	Binary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B953AE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00B953AE

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80580 VirtualQuery,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,CloseHandle,

0_2_00B80580

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7DDB0 LoadLibraryW,GetProcAddress,VirtualProtect,VirtualProtect,GetCurrentProcess,WriteProcessMemory,VirtualProtect,

0_2_00B7DDB0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

0_2_00B656F0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7E590 memset,GetVersionExW,??4QString@@QAEAAV0@ABV0@@Z,SetUnhandledExceptionFilter,?free@QString@@CAXPAUData@1@@Z,	0_2_00B7E590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B953AE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	0_2_00B953AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B95D6E SetUnhandledExceptionFilter,	0_2_00B95D6E

Queries device information via Setup API

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5CFC0 SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcscmp,memset,SetupDiGetDeviceRegistryPropertyW,wprintf,SetupDiEnumDeviceInterfaces,GetLastError,

0_2_00B5CFC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B2C230 GetLocalTime,

0_2_00B2C230

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7E590 memset,GetVersionExW,??4QString@@QAEAAV0@ABV0@@Z,SetUnhandledExceptionFilter,?free@QString@@CAXPAUData@1@@Z,

0_2_00B7E590

ID:	1561199
Product:	CloudBasic
Start time:	22:08:07
Start date:	22.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	11c8962675b6d535c018a63be0821e4c
SHA1:	a150fa871e10919a1d626ffe37b1a400142f452b
SHA256:	421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe