Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522716
MD5:	52f3d33b2ce1ae6640a20e19506b7acb
SHA1:	09833b92ef643b687fc0e51c7bc6316011e30604
SHA256:	0d42c76532e1f811ba1e34911976f04fa2616dbe9af1f6f9cdf75193ad9f482b
Tags:	exesigneduser-jstrosch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 50%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00403B58 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

0_2_00403B58

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: info.pillowkidguest.ru replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: s.itorrent.bz
Source: global traffic	DNS traffic detected: DNS query: info.pillowkidguest.ru
Source: global traffic	DNS traffic detected: DNS query: cdn.itorrent.bz

Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.itorrent.bz/
Source: file.exe	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zip
Source: file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zip5
Source: file.exe	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zipFreeSpacer_setup.exe.
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: file.exe	String found in binary or memory: http://g.itorrent.bz/support.i
Source: file.exe	String found in binary or memory: http://g.itorrent.bz/support.ilbad
Source: file.exe, 00000000.00000003.1887309756.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001835622.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/Ts
Source: file.exe	String found in binary or memory: http://info.pillowkidguest.ru/logo.png
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngU
Source: file.exe	String found in binary or memory: http://info.pillowkidguest.ru/logo.pnga8b13a8ef5c233e82e7c47bb5977f38a
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngm
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngs2
Source: file.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz//
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz//95
Source: file.exe	String found in binary or memory: http://s.itorrent.bz/i/
Source: file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df%
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404/
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404T
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404j
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/s/?version=1.0.0.404
Source: file.exe	String found in binary or memory: http://s.itorrent.bz/i/BUTTON###image/pngCan
Source: file.exe, 00000000.00000002.3001835622.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1887309756.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/l$J
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/w5
Source: file.exe	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx
Source: file.exe	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxF
Source: file.exe, 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxJ

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411CFB	0_2_00411CFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004360B3	0_2_004360B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437135	0_2_00437135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004341AD	0_2_004341AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D2E3	0_2_0042D2E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004345E2	0_2_004345E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00436625	0_2_00436625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E68F	0_2_0041E68F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004338A1	0_2_004338A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424950	0_2_00424950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434A17	0_2_00434A17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437B4C	0_2_00437B4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DC2B	0_2_0041DC2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DCCB	0_2_0042DCCB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425C8F	0_2_00425C8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433D95	0_2_00433D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426F5F	0_2_00426F5F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439BBF appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00438F67 appears 41 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004261A0 appears 61 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439B56 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439B89 appears 68 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040792F appears 31 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/1@11/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00406633 __EH_prolog3_GS,_memset,SHGetFolderPathW,CoCreateInstance,CoTaskMemFree,

0_2_00406633

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D6E LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,CreateStreamOnHGlobal,GlobalFree,GdipAlloc,

0_2_00405D6E

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe	Command line argument: Debug	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: xD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: $C	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: LyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: @yD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: DyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: HyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: LhD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: prf	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: NB	0_2_0042E7A0

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 50%

Source: file.exe	String found in binary or memory: --start
Source: file.exe	String found in binary or memory: //d/ps/p/installed/i
Source: file.exe	String found in binary or memory: --install
Source: file.exe	String found in binary or memory: //d/ps/p/installed/i
Source: file.exe	String found in binary or memory: @openhttpieoperalauncheroperaoldyandexgooglechromeinternet explorerfirefoxffamigo01HKLMHKEY_LOCAL_MACHINE\DisplayNameSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall<?xml version="1.0"?><d></d>//d/ps/p/rs/rname//d/ps/p/fs/f//d/ps/p/installed/i//d/machineid//d/guid//d/defbrowser//d/osexceptionl
Source: file.exe	String found in binary or memory: iTorrent.--installset-autoloadset-defaultset-firewall --
Source: file.exe	String found in binary or memory: dftsttfdp%ib%ipdfif--startpifip%ib%iContent-Type: application/xml;

Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 31

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004261E5 push ecx; ret		0_2_004261F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439B24 push ecx; ret		0_2_00439B37

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00425C8F EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00425C8F

Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004265DC _memset,IsDebuggerPresent,

0_2_004265DC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042EC02 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0042EC02

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00425B2B GetProcessHeap,

0_2_00425B2B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004278D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278A7 SetUnhandledExceptionFilter,		0_2_004278A7

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042687D cpuid

0_2_0042687D

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0042F095
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0042F249
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0042F20C
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_004263F6
Source: C:\Users\user\Desktop\file.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_00435614
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004358C8
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00435888
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00435945
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_004359C8
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_00435BBD
Source: C:\Users\user\Desktop\file.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00435CE7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00435D94
Source: C:\Users\user\Desktop\file.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00435E68

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00424662 GetSystemTimeAsFileTime,

0_2_00424662

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004038C5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,LookupAccountNameW,GetLastError,LookupAccountNameW,

0_2_004038C5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040A723 __EH_prolog3_GS,_memset,GetVersionExW,

0_2_0040A723

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
cdn.itorrent.bz	unknown	unknown
s.itorrent.bz	unknown	unknown
info.pillowkidguest.ru	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 50%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe

0_2_00403B58

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: info.pillowkidguest.ru replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: s.itorrent.bz
Source: global traffic	DNS traffic detected: DNS query: info.pillowkidguest.ru
Source: global traffic	DNS traffic detected: DNS query: cdn.itorrent.bz

Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.itorrent.bz/
Source: file.exe	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zip
Source: file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zip5
Source: file.exe	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zipFreeSpacer_setup.exe.
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: file.exe	String found in binary or memory: http://g.itorrent.bz/support.i
Source: file.exe	String found in binary or memory: http://g.itorrent.bz/support.ilbad
Source: file.exe, 00000000.00000003.1887309756.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001835622.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/Ts
Source: file.exe	String found in binary or memory: http://info.pillowkidguest.ru/logo.png
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngU
Source: file.exe	String found in binary or memory: http://info.pillowkidguest.ru/logo.pnga8b13a8ef5c233e82e7c47bb5977f38a
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngm
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngs2
Source: file.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz//
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz//95
Source: file.exe	String found in binary or memory: http://s.itorrent.bz/i/
Source: file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df%
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404/
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404T
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404j
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/s/?version=1.0.0.404
Source: file.exe	String found in binary or memory: http://s.itorrent.bz/i/BUTTON###image/pngCan
Source: file.exe, 00000000.00000002.3001835622.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1887309756.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/l$J
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/w5
Source: file.exe	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx
Source: file.exe	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxF
Source: file.exe, 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxJ

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411CFB	0_2_00411CFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004360B3	0_2_004360B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437135	0_2_00437135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004341AD	0_2_004341AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D2E3	0_2_0042D2E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004345E2	0_2_004345E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00436625	0_2_00436625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E68F	0_2_0041E68F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004338A1	0_2_004338A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424950	0_2_00424950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434A17	0_2_00434A17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437B4C	0_2_00437B4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DC2B	0_2_0041DC2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DCCB	0_2_0042DCCB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425C8F	0_2_00425C8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433D95	0_2_00433D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426F5F	0_2_00426F5F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439BBF appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00438F67 appears 41 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004261A0 appears 61 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439B56 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439B89 appears 68 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040792F appears 31 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/1@11/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00406633 __EH_prolog3_GS,_memset,SHGetFolderPathW,CoCreateInstance,CoTaskMemFree,

0_2_00406633

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D6E LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,CreateStreamOnHGlobal,GlobalFree,GdipAlloc,

0_2_00405D6E

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe	Command line argument: Debug	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: xD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: $C	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: LyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: @yD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: DyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: HyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: LhD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: prf	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: NB	0_2_0042E7A0

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 50%

Source: file.exe	String found in binary or memory: --start
Source: file.exe	String found in binary or memory: //d/ps/p/installed/i
Source: file.exe	String found in binary or memory: --install
Source: file.exe	String found in binary or memory: //d/ps/p/installed/i
Source: file.exe	String found in binary or memory: @openhttpieoperalauncheroperaoldyandexgooglechromeinternet explorerfirefoxffamigo01HKLMHKEY_LOCAL_MACHINE\DisplayNameSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall<?xml version="1.0"?><d></d>//d/ps/p/rs/rname//d/ps/p/fs/f//d/ps/p/installed/i//d/machineid//d/guid//d/defbrowser//d/osexceptionl
Source: file.exe	String found in binary or memory: iTorrent.--installset-autoloadset-defaultset-firewall --
Source: file.exe	String found in binary or memory: dftsttfdp%ib%ipdfif--startpifip%ib%iContent-Type: application/xml;

Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 31

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004261E5 push ecx; ret		0_2_004261F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439B24 push ecx; ret		0_2_00439B37

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00425C8F

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004265DC _memset,IsDebuggerPresent,

0_2_004265DC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\file.exe

0_2_0042EC02

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00425B2B GetProcessHeap,

0_2_00425B2B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004278D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278A7 SetUnhandledExceptionFilter,		0_2_004278A7

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042687D cpuid

0_2_0042687D

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0042F095
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0042F249
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0042F20C
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_004263F6
Source: C:\Users\user\Desktop\file.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_00435614
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004358C8
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00435888
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00435945
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_004359C8
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_00435BBD
Source: C:\Users\user\Desktop\file.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00435CE7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00435D94
Source: C:\Users\user\Desktop\file.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00435E68

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00424662 GetSystemTimeAsFileTime,

0_2_00424662

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004038C5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,LookupAccountNameW,GetLastError,LookupAccountNameW,

0_2_004038C5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040A723 __EH_prolog3_GS,_memset,GetVersionExW,

0_2_0040A723

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1522716
Product:	CloudBasic
Start time:	15:53:47
Start date:	30.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	52f3d33b2ce1ae6640a20e19506b7acb
SHA1:	09833b92ef643b687fc0e51c7bc6316011e30604
SHA256:	0d42c76532e1f811ba1e34911976f04fa2616dbe9af1f6f9cdf75193ad9f482b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.83%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
file.exe