Windows Analysis Report
Label.exe

Overview

General Information

Sample name: Label.exe
Analysis ID: 1525466
MD5: e12f93d462a622f32a4ff1e646549c42
SHA1: 540853beffb0ba9b26cf305bcf92fad82599eb3c
SHA256: f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
Tags: exePreftuser-smica83
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops password protected ZIP file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Installs a raw input device (often for capturing keystrokes)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Label.exe ReversingLabs: Detection: 42%
Source: Label.exe Virustotal: Detection: 62% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.4% probability
Source: Binary string: ntkrnlmp.pdbD! source: c.tmp~.0.dr
Source: Binary string: ntkrnlmp.pdbD!68A17FAF3012B7846079AEECDBE0A5831 source: c.tmp~.0.dr
Source: Binary string: ntkrnlmp.pdb source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdbD!01AB9056EA9380F71644C4339E3FA1AC2 source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdbD! source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdb0 source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdb source: c.tmp~.0.dr
Source: Binary string: ntkrnlmp.pdbl source: c.tmp~.0.dr
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003E654 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_000000014003E654
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140056A50 SrcHashImpl::SrcHashImpl,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard, 0_2_0000000140056A50
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014002C3A8 GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,NotifyWinEvent,NotifyWinEvent,SetCapture,RedrawWindow, 0_2_000000014002C3A8
Installs a raw input device (often for capturing keystrokes)
Source: c.tmp~.0.dr Binary or memory string: _WinAPI_RegisterRawInputDevices.au3 memstr_ece8dcda-a
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140054154 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageW,ScreenToClient,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,SendMessageW,GetParent, 0_2_0000000140054154
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140014234 GetKeyState,GetKeyState,GetKeyState,SendMessageW, 0_2_0000000140014234

System Summary
barindex
Drops password protected ZIP file
Source: c.tmp-.0.dr Zip Entry: encrypted
Source: ~E52D1ACF.tmp.0.dr Zip Entry: encrypted
Detected potential crypto function
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140015FF8 0_2_0000000140015FF8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140082020 0_2_0000000140082020
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003404C 0_2_000000014003404C
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014001A0EC 0_2_000000014001A0EC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140041118 0_2_0000000140041118
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014004E138 0_2_000000014004E138
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140054154 0_2_0000000140054154
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140020280 0_2_0000000140020280
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014000C33C 0_2_000000014000C33C
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014002C3A8 0_2_000000014002C3A8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400373BC 0_2_00000001400373BC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400383C4 0_2_00000001400383C4
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400353CC 0_2_00000001400353CC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400A33EC 0_2_00000001400A33EC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400453F4 0_2_00000001400453F4
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140022458 0_2_0000000140022458
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014005948C 0_2_000000014005948C
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014002649C 0_2_000000014002649C
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400304C4 0_2_00000001400304C4
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400434F8 0_2_00000001400434F8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140027588 0_2_0000000140027588
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014002D6B0 0_2_000000014002D6B0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003C6D0 0_2_000000014003C6D0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140047788 0_2_0000000140047788
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001401898BC 0_2_00000001401898BC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014002F934 0_2_000000014002F934
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003A9A0 0_2_000000014003A9A0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140056A50 0_2_0000000140056A50
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140089A44 0_2_0000000140089A44
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140047AD0 0_2_0000000140047AD0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400A5B34 0_2_00000001400A5B34
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140197B80 0_2_0000000140197B80
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140038BAC 0_2_0000000140038BAC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014004EBC8 0_2_000000014004EBC8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140029BF8 0_2_0000000140029BF8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140190C40 0_2_0000000140190C40
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140039CE0 0_2_0000000140039CE0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140055D1C 0_2_0000000140055D1C
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014000ADB4 0_2_000000014000ADB4
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140037DE0 0_2_0000000140037DE0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140096E18 0_2_0000000140096E18
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400E8E28 0_2_00000001400E8E28
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140058E50 0_2_0000000140058E50
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140025E50 0_2_0000000140025E50
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014000BEE4 0_2_000000014000BEE4
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140043F6C 0_2_0000000140043F6C
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_00000001400CFFC4 0_2_00000001400CFFC4
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F885F0 0_2_01F885F0
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01FA0494 0_2_01FA0494
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F87410 0_2_01F87410
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01FA27A8 0_2_01FA27A8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F87910 0_2_01F87910
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F9E860 0_2_01F9E860
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F87B70 0_2_01F87B70
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F9ED30 0_2_01F9ED30
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F91C10 0_2_01F91C10
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F95F70 0_2_01F95F70
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F9BF74 0_2_01F9BF74
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01F91E8C 0_2_01F91E8C
PE / OLE file has an invalid certificate
Source: Label.exe Static PE information: invalid certificate
Source: classification engine Classification label: mal64.troj.evad.winEXE@6/6@0/1
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140007258 CoInitialize,CoCreateInstance, 0_2_0000000140007258
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014000807C FindResourceW,LoadResource,LockResource,FreeResource, 0_2_000000014000807C
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
Source: C:\Users\user\Desktop\Label.exe File created: C:\Users\user\AppData\Local\Temp\temp Jump to behavior
Source: Label.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Label.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Label.exe ReversingLabs: Detection: 42%
Source: Label.exe Virustotal: Detection: 62%
Source: C:\Users\user\Desktop\Label.exe File read: C:\Users\user\Desktop\Label.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Label.exe "C:\Users\user\Desktop\Label.exe"
Source: C:\Users\user\Desktop\Label.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Users\user\Desktop\Label.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Label.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Label.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Label.exe Static file information: File size 2814800 > 1048576
Source: Label.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ad200
Source: Label.exe Static PE information: More than 200 imports for USER32.dll
Source: Label.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntkrnlmp.pdbD! source: c.tmp~.0.dr
Source: Binary string: ntkrnlmp.pdbD!68A17FAF3012B7846079AEECDBE0A5831 source: c.tmp~.0.dr
Source: Binary string: ntkrnlmp.pdb source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdbD!01AB9056EA9380F71644C4339E3FA1AC2 source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdbD! source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdb0 source: c.tmp~.0.dr
Source: Binary string: winload_prod.pdb source: c.tmp~.0.dr
Source: Binary string: ntkrnlmp.pdbl source: c.tmp~.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003E924 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError, 0_2_000000014003E924
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003BFF1 push rbp; iretd 0_2_000000014003BFF7
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003BA80 push rbp; iretd 0_2_000000014003BA81
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003BFCB push rbp; iretd 0_2_000000014003BFCC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01FAA2CD push rcx; retf 003Fh 0_2_01FAA2CE
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01FA9925 push rsi; ret 0_2_01FA9926
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140004430 IsIconic, 0_2_0000000140004430
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140046A00 IsWindowVisible,IsIconic, 0_2_0000000140046A00
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014002CBC8 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 0_2_000000014002CBC8
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140015FC4 IsIconic, 0_2_0000000140015FC4
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Label.exe API coverage: 0.0 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003E654 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_000000014003E654
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\Label.exe File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: F|Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: F[Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mumn
Source: c.tmp~.0.dr Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: FRMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr Binary or memory string: F]Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: FYHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: F`HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.catM%t
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.cat
Source: c.tmp~.0.dr Binary or memory string: FWHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: FYMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: F_Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumw
Source: c.tmp~.0.dr Binary or memory string: FTMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: F[Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: F|Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: F[Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.cat
Source: c.tmp~.0.dr Binary or memory string: FYMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: FWHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: F^HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: F_HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.catg-
Source: c.tmp~.0.dr Binary or memory string: F_HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumw
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: FXMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: FZMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr Binary or memory string: FTMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mumY
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr Binary or memory string: FaMicrosoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr Binary or memory string: FYMicrosoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.mume
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.cat
Source: c.tmp~.0.dr Binary or memory string: F_Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: FsMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: FNMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: FXHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mumB
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: FRMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: FRMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: F\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumn
Source: c.tmp~.0.dr Binary or memory string: FsMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: F^Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum|
Source: c.tmp~.0.dr Binary or memory string: FPMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: F]Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mumx
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: FaHyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: F^HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: FRMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: FxMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: FUMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr Binary or memory string: FPMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr Binary or memory string: FYMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mumh
Source: c.tmp~.0.dr Binary or memory string: FaMicrosoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FaHyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FUMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr Binary or memory string: FxMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mumP
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: FVMicrosoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr Binary or memory string: FWHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum;
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FYMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: FXMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: FYHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr Binary or memory string: FVMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: F`HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: F[Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.mumk
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: F\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr Binary or memory string: F[Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mump
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.mum
Source: c.tmp~.0.dr Binary or memory string: FXMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.cat
Source: c.tmp~.0.dr Binary or memory string: FNMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: FTMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: F^HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumt
Source: c.tmp~.0.dr Binary or memory string: FTMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: F^Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: FWHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: F\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: FTMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: FSHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr Binary or memory string: FYMicrosoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.cat
Source: c.tmp~.0.dr Binary or memory string: FXMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum/
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr Binary or memory string: F\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: FSHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr Binary or memory string: FXHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr Binary or memory string: FYHyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mumP
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FVMicrosoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum,
Source: c.tmp~.0.dr Binary or memory string: FRMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.mum
Source: c.tmp~.0.dr Binary or memory string: FSMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr Binary or memory string: F^HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mumO
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FTMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat%pH
Source: c.tmp~.0.dr Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: FYHyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr Binary or memory string: FRMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.cat
Source: c.tmp~.0.dr Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: F[Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat$"t
Source: c.tmp~.0.dr Binary or memory string: FZMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FSMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr Binary or memory string: FVMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140185454 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_0000000140185454
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140009FF0 OutputDebugStringA,ActivateActCtx,GetLastError,DeactivateActCtx,SetLastError, 0_2_0000000140009FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014003E924 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError, 0_2_000000014003E924
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_000000014018A7FC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014018A7FC
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140184BFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140184BFC
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Label.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_01FA25F0 cpuid 0_2_01FA25F0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Label.exe Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW, 0_2_000000014001C3CC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Label.exe Queries volume information: C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp~ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Queries volume information: C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140184E98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0000000140184E98
Source: C:\Users\user\Desktop\Label.exe Code function: 0_2_0000000140005240 GetCurrentThread,GetCurrentThreadId,GetVersionExW, 0_2_0000000140005240
AV process strings found (often used to terminate AV products)
Source: c.tmp~.0.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525466 Sample: Label.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 64 22 Multi AV Scanner detection for submitted file 2->22 24 Drops password protected ZIP file 2->24 26 AI detected suspicious sample 2->26 7 Label.exe 7 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        file5 18 C:\Users\user\Desktop\Label.exe, ASCII 9->18 dropped 28 Uses ping.exe to sleep 9->28 30 Uses ping.exe to check the status of other devices and networks 9->30 13 PING.EXE 1 9->13         started        16 conhost.exe 9->16         started        signatures6 process7 dnsIp8 20 127.0.0.1 unknown unknown 13->20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1