Windows Analysis Report
MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip

Overview

General Information

Sample name:	MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip
Analysis ID:	1545603
MD5:	c66f729c7ea4996b377039d99d7f6c28
SHA1:	29e5576d99dd1c66f228db18c2fff1e85a021519
SHA256:	e6a72ab4e6f7887f0fd3c3290a7e32523f0a7bdd3386cdc326bef65d0d03552e
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4x nop then mov rsi, r9		4_2_001058E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4x nop then mov rdi, 0000800000000000h		4_2_00104B20

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E5420	4_2_000E5420
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_0011F480	4_2_0011F480
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000FBCA0	4_2_000FBCA0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000EBCE0	4_2_000EBCE0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E84E0	4_2_000E84E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_001058E0	4_2_001058E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E5D00	4_2_000E5D00
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000EB120	4_2_000EB120
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E6180	4_2_000E6180
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00112DA0	4_2_00112DA0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F69C0	4_2_000F69C0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_001231C0	4_2_001231C0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F1AA0	4_2_000F1AA0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_001016C0	4_2_001016C0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F96E0	4_2_000F96E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00121F00	4_2_00121F00
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00104B20	4_2_00104B20
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00106B40	4_2_00106B40
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00110340	4_2_00110340
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000EA760	4_2_000EA760
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000FCF60	4_2_000FCF60
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F2780	4_2_000F2780
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00102380	4_2_00102380
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00104FC0	4_2_00104FC0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_0010D7C0	4_2_0010D7C0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: String function: 0010FB40 appears 323 times
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: String function: 001227A0 appears 37 times

Source: classification engine

Classification label: sus23.evad.winZIP@17/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	File opened: C:\Windows\system32\75548224bf2c1f17b00f8cd347c64b71799871b3bfe9225e88bc706be3015896AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	File opened: C:\Windows\system32\611ba3cdcb11afb68755104e56c2d8371ca6161be2276ecf333fd9678d55f3f0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\44e9a29dc1e6355c0dd1b46c1774409c1f74fc07cdc7cb46efe2188d65a3ff93AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\c5011dd4c2e8318e06c30dad8a094386c6b420e29733e535ceb384ad8e38aa6aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\8744d673472c9b5ef703c1165ea8a5888e74937694e2934cdc70314e5bf78a03AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\a5269e9b68e367e606b74f36daa107168983bc0cf72574dcf5c3bef023d3966bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\22d0dbef0aa1a35dab6a9a96574958792fa3c11f3b75bd91a77ecf72056efda5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	File opened: C:\Windows\system32\d88ebffa1635166688494eb95ff40d260bfe7af1927a4226313c5efff0fa6c69AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Keygen.exe "C:\Users\user\Desktop\Keygen.exe"
Source: C:\Users\user\Desktop\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior

Source: MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip

Static file information: File size 1118749 > 1048576

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_000F4388 push rdx; retf

4_2_000F438B

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_00134600 rdtscp

4_2_00134600

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Keygen.exe, 00000004.00000002.1222885370.00000000000E1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HgFSPvd9fLU
Source: Keygen.exe, 00000004.00000002.1225280053.00000268D423D000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000006.00000002.1249958428.000001BCE0263000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 0000000E.00000002.1339564342.0000022D61607000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000010.00000002.1444017001.0000028816613000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000012.00000002.1452965431.00000216D1B13000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 0000001C.00000002.2152799450.0000019939958000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 0000001E.00000002.2185757771.00000170B1473000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000021.00000002.2271446351.0000021B0659C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_00134600 Start: 00134609 End: 0013461F

4_2_00134600

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_00134600 rdtscp

4_2_00134600

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4x nop then mov rsi, r9		4_2_001058E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4x nop then mov rdi, 0000800000000000h		4_2_00104B20

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E5420	4_2_000E5420
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_0011F480	4_2_0011F480
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000FBCA0	4_2_000FBCA0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000EBCE0	4_2_000EBCE0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E84E0	4_2_000E84E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_001058E0	4_2_001058E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E5D00	4_2_000E5D00
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000EB120	4_2_000EB120
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000E6180	4_2_000E6180
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00112DA0	4_2_00112DA0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F69C0	4_2_000F69C0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_001231C0	4_2_001231C0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F1AA0	4_2_000F1AA0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_001016C0	4_2_001016C0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F96E0	4_2_000F96E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00121F00	4_2_00121F00
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00104B20	4_2_00104B20
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00106B40	4_2_00106B40
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00110340	4_2_00110340
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000EA760	4_2_000EA760
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000FCF60	4_2_000FCF60
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_000F2780	4_2_000F2780
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00102380	4_2_00102380
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_00104FC0	4_2_00104FC0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: 4_2_0010D7C0	4_2_0010D7C0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: String function: 0010FB40 appears 323 times
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Code function: String function: 001227A0 appears 37 times

Source: classification engine

Classification label: sus23.evad.winZIP@17/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	File opened: C:\Windows\system32\75548224bf2c1f17b00f8cd347c64b71799871b3bfe9225e88bc706be3015896AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	File opened: C:\Windows\system32\611ba3cdcb11afb68755104e56c2d8371ca6161be2276ecf333fd9678d55f3f0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\44e9a29dc1e6355c0dd1b46c1774409c1f74fc07cdc7cb46efe2188d65a3ff93AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\c5011dd4c2e8318e06c30dad8a094386c6b420e29733e535ceb384ad8e38aa6aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\8744d673472c9b5ef703c1165ea8a5888e74937694e2934cdc70314e5bf78a03AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\a5269e9b68e367e606b74f36daa107168983bc0cf72574dcf5c3bef023d3966bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	File opened: C:\Windows\system32\22d0dbef0aa1a35dab6a9a96574958792fa3c11f3b75bd91a77ecf72056efda5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	File opened: C:\Windows\system32\d88ebffa1635166688494eb95ff40d260bfe7af1927a4226313c5efff0fa6c69AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe "C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe"
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Keygen.exe "C:\Users\user\Desktop\Keygen.exe"
Source: C:\Users\user\Desktop\Keygen.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Section loaded: umpdc.dll	Jump to behavior

Source: MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip

Static file information: File size 1118749 > 1048576

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_000F4388 push rdx; retf

4_2_000F438B

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Keygen.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_00134600 rdtscp

4_2_00134600

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Keygen.exe, 00000004.00000002.1222885370.00000000000E1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HgFSPvd9fLU
Source: Keygen.exe, 00000004.00000002.1225280053.00000268D423D000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000006.00000002.1249958428.000001BCE0263000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 0000000E.00000002.1339564342.0000022D61607000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000010.00000002.1444017001.0000028816613000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000012.00000002.1452965431.00000216D1B13000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 0000001C.00000002.2152799450.0000019939958000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 0000001E.00000002.2185757771.00000170B1473000.00000004.00000020.00020000.00000000.sdmp, Keygen.exe, 00000021.00000002.2271446351.0000021B0659C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_00134600 Start: 00134609 End: 0013461F

4_2_00134600

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip\Keygen.exe

Code function: 4_2_00134600 rdtscp

4_2_00134600

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

ID:	1545603
Product:	CloudBasic
Start time:	17:55:34
Start date:	30.10.2024
Sample:	MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c66f729c7ea4996b377039d99d7f6c28
SHA1:	29e5576d99dd1c66f228db18c2fff1e85a021519
SHA256:	e6a72ab4e6f7887f0fd3c3290a7e32523f0a7bdd3386cdc326bef65d0d03552e
Filetype:	ZIP compressed archive (8000/1) 100.00%

Windows Analysis Report
MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
MDE_File_Sample_a180428075a5fd23e3c8a51395fe04afb13da029.zip