SecondWrite DeepView - 8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff

100

Malicious

This predictive confidence of maliciousness for this sample is 100%.

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff

902.7 kB

Size

2020-07-20 08:51:06

First seen 15 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

High

Virus

Low

Banker

High

Bot

Low

Rat

Low

Adware

Low

Infostealer

Low

Worm

Low

Spyware

High

Indicators

Expand All

DeepView™ Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Debug

Checks for the presence of known devices from debuggers and forensic tools

Anti-Sandbox

Detects Sandboxie through the presence of a library

Anti-Vm

Detects VMWare through the in instruction feature

PID	API	Arguments
2700	__exception__	stacktrace: [u'BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x7dd733ca', u'RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2', u'RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5'] exception: {u'instruction_r': u'ed b8 01 00 00 00 eb 13 8b 44 24 0c c7 80 b8 00', u'symbol': u'8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff+0x78cc', u'instruction': u'in eax, dx', u'module': u'8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe', u'exception_code': u'0xc0000096', u'offset': 30924, u'address': u'0x4078cc'} registers: {u'esp': 1638184, u'edi': 0, u'eax': 1447909480, u'ebp': 1638280, u'edx': 22104, u'ebx': 1013774098, u'esi': 0, u'ecx': 10}

Av-Tools

This sample is detected by clamav as: Win.Spyware.Banker-3114

One or more AV tool detects this sample as malicious: Trojan:Win32/Tiggre!rfn

Generic

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Repeatedly searches for a not-found process, you may want to run a web browser during analysis

PID	API	Arguments
2700	Process32NextW	snapshot_handle: 0x000000c8 process_name: 8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe process_identifier: 2740

One or more of the buffers contains an embedded PE file

Injection

Executed a process and injected code into it, probably while unpacking

PID	API	Arguments
2748	CreateProcessInternalW	thread_identifier: 2704 thread_handle: 0x00000100 process_identifier: 2700 current_directory: filepath: track: 1 command_line: C:\Users\Virtual\AppData\Local\Temp\8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe filepath_r: stack_pivoted: 0 creation_flags: 4 inherit_handles: 0 process_handle: 0x00000104
2748	NtGetContextThread	thread_handle: 0x00000100
2748	NtUnmapViewOfSection	base_address: 0x00400000 region_size: 4096 process_identifier: 2700 process_handle: 0x00000104
2748	NtAllocateVirtualMemory	process_identifier: 2700 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00400000 allocation_type: 12288 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x00400000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x00401000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x0040a000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x0040b000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x0040c000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x0040d000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x0040e000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x0040f000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x00410000 process_identifier: 2700 process_handle: 0x00000104
2748	WriteProcessMemory	buffer: base_address: 0x7efde008 process_identifier: 2700 process_handle: 0x00000104
2748	NtSetContextThread	registers: {u'eip': 2112356804, u'esp': 1638384, u'edi': 0, u'eax': 4233312, u'ebp': 0, u'edx': 0, u'ebx': 2130567168, u'esi': 0, u'ecx': 0} thread_handle: 0x00000100 process_identifier: 2700
2748	NtResumeThread	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2700

Origin

Unconventionial language used in binary resources

Packer

The executable has PE anomalies (could be a false positive)

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2748	NtAllocateVirtualMemory	process_identifier: 2596 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x002e0000 allocation_type: 4096 process_handle: 0xffffffff
2748	NtAllocateVirtualMemory	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x00320000 allocation_type: 4096 process_handle: 0xffffffff

The binary likely contains encrypted or compressed data.

Program-Level-Features

Contains obfuscated control-flow to defeat static analysis.

More than %50 of the external calls do not go through the import address table

Static

This sample contains high entropy sections

Anomalous binary characteristics

Presents an Authenticode digital signature

Yara

Yara Pattern Name	Description
Str_Win32_Winsock2_Library	Match Winsock 2 API library declaration
IsPE32	No Description Available
keylogger	Run a keylogger
win_registry	Affect system registries
suspicious_packer_section	The packer/protector section names/keywords

Static Analysis

Version Infos

LegalCopyright:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
InternalName:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
FileVersion:: 1.5.9.200
CompanyName:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
\xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 / :: n
LegalTrademarks:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
Comments:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
ProductName:
ProductVersion:: 0.9900
FileDescription:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
OriginalFilename:: \xd8\xb3\xd8\xb7\xd9\x88\xd8\xa7\xd9\x86\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaa\xd8\xb4\xd9\x81\xd9\x8a\xd8\xb1 \xd8\xa8\xd8\xa7\xd9\x84\xd8\xba\xd8\xa9 \xd8\xa7\xd9\x84\xd8\xaf\xd9\x84\xd9\x81\xd9\x8a 7 /
Translation:: 0x2c01 0x04e8

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
CODE	0x00001000	0x0020b000	0x00091600	7.99973984913
.rsrc	0x0020c000	0x0004b000	0x0004ac00	4.66385647385

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_CURSOR	0x00134750	0x00000134	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_BITMAP	0x00135ac0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_ICON	0x00254d50	0x00000468	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_DIALOG	0x00135ba8	0x00000052	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_STRING	0x0013ad40	0x00000328	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_RCDATA	0x0013b448	0x00086291	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_RCDATA	0x0013b448	0x00086291	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_RCDATA	0x0013b448	0x00086291	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_RCDATA	0x0013b448	0x00086291	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_CURSOR	0x001c1770	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_ICON	0x002551b8	0x00000092	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None
RT_VERSION	0x00255250	0x00000484	LANG_ARABIC	SUBLANG_ARABIC_JORDAN	None
RT_MANIFEST	0x002556d8	0x000002f0	LANG_ARABIC	SUBLANG_ARABIC_SAUDI_ARABIA	None

Imports

Library kernel32.dll:

GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree

Library user32.dll:

GetKeyboardType

Library advapi32.dll:

RegQueryValueExA

Library oleaut32.dll:

SysFreeString

Library version.dll:

VerQueryValueA

Library gdi32.dll:

UnrealizeObject

Library ole32.dll:

CoTaskMemAlloc

Library comctl32.dll:

ImageList_SetIconSize

Library winspool.drv:

OpenPrinterA

Library wsock32.dll:

__WSAFDIsSet

Strings

This program must be run under Win32
PEC2^O
PECompact2
7h1BWk
g_*)e0[
C ~482
PZWi*o
|XbTE:
zfce^U
Rly@e;
#Z7co_`;
]w*3y}
'Zop%=B
XOF9FPX
c</"}
ITQNC9
\EtLC%B
kMt]YxnP`7
_es8H&U
zE'!ON
h5(?mv
M>Y;3
$Adkali
#"\Pi>
eHd$Y1U{6
am,A%'r
M!zjHtY{
*i.KYu#
dPtgG
Am32$
BJIQ*@
\yIV=e:
w\FQ/I
Vj|CV`U
@GLU`(i
FC|y}\
oJoJK&[
*![ QD
Y2Yw-CD
Pm.TJ@_)LB+
xA`&eE5
-0{L="
I}XcVwi
."c:d,
w&zP+x
VDsm94
X_s(:z
93/PH
GnXu:/3
:Ld=""
QT0g'$
XwN*5z.<
wx1~mlg
dhtH)(.N
EM7q5]:
<84*P~
ujrFVB
gTmz2"
KSW_3
H#}+&_MMDn/
LNhb@H
:FiD!gH
y/nGI\wXn
jGlNjH
Nn_ V.
F_>E8T`'
&i(_lz
D[lL NJ;Z8
+:?r[{
l9\"{4
K96MwJ
F!k'cC
q / i]M
7(^p5j
+N\v2[
;.TOy[
}2`Am\
[}^,qT1
7t =>+=:
KN>|r}s
Q@]z@7x
^9j"";
hQ4Cs
Z[WGAV=
)c!lEU
Q?EIIg
k-%Mul
'mDZ0
uv=BL?
yf:%^@
0I#cb2B=
jyDILE
0?iP@l<
yg~lci
oF-d+-E)
qEviTCv
<hxgK%
p_~KUt
>$2N@v~
UW'r:0O
ab3 sy
jHHAEI
*]*)b\
=zd3~s
H]ZF^#
vL{ZwN8S
A:?[`q
\=0JSm (M
aJ9tC=
EBX3;@y
H?#d
zt1)#o^
UewDf9b
> PDdz.
1Of?tZE
Jte>pt
z",{8"t
4qNk~"
rz<tWp
Ba5q7U
mOF*"s
:+pdq_]a
FTU; U
\p^}-w(
|@%lvn
t5yC9n
^%P6dc
`K.SEik
9]2e r(ix
OX6s"y}
46h&bK
^_"o_f+v[
x`N<-p:`
e?Y_n.
EcX`f7
V7:"oA
_1Zb N
06k1Ad
8Sx`>{fTA
Sj6s1g#-
6l+kc:
AwijWZ
vs,,PDL
fF~\.&
gUn&ai"c
*Rygu4
<ELoiEbZkX
C92/D
glSNZX
=RA:!^V
+D?W$O
V,ORbh)
rD]L0-
0Jh>SmF
mOX'7#3.
=ID/YEk
*hbezR7$
~-JAVw
GWZ%omq,
-L@}C4
"ZozFO\4
Y'PDCsl
TU*^t?
'6B9 69U
j!1d8e
r/qvV,
1Oe5>&*
>8?(48S
Ut3m?~
{l>ig5
WO11|+
XnDhx!
>)8O2Es
.;1<(P7
nBU\9VU@3 V
4HG*Oo
?!. &t
!X)91 p,*
:MiTY73
j^FN#T
SR)#>UB
Qszq);.
R|y (0QX6z
spkO:y
'3*t!
#piRTQ
D*|cEL
N1h8h@2
pBTPih
cFJ1II
xHx2t#
_!k++
B\P-bl
xp2d O
:h)D1Z
d@+}3[`2NG
?p-]=.S
}-6`p}
9NfCd2o
*W?m&i
T#=3:
c9v>-)
sASn'k
5|fN}t#
Ime@I14
Sbaabq
+ V%W2
dvf+vD
o2;TEZ6&'
oWt0\M
qeF)T*
<x]Q%
A6lO.(Lv
Fs2eJ/>
=/IF4ym
8a6fJF
jW1U%m
OVOW,(
w4,Uj*
[T4/|i
;9[TL{5ak
TStD%I
2ERg|qP
]JP%8|
\;5D+5$Eo
$8D9@?
YJm7:-
%q;HIC
'K<(.%R
*Ho?nz'MXr\
*`rWCJT
~*Q^5F
z'Nuch/)
~DC+1Pm4
IHBD]0j
r!hlBl-
xQmMp |(
.dU\$7
=z&,e)\=
F*4OX
*: r$e
c.8g82WR
5|mYgA>
]|ykMX
r+6Jlji
`,k$H=
%fy?=8j
w8%-v$
/8:H<M
$ILoY
b(c$jzE
j33??~US
"Sh<Nv
FY)MH
Cs&>\^&
_T8gQ
'Kt~n|+
K~7</K
J-]KRe
"{HY*b
AcAsy7
$CQ]A6
Xr7;&Y
gTij d1{
g>bVKqv
[{$=[
={hzP~e
gK<C~o
OyzDE}
{:1 B|wQP
8 Xr\0
vboF)Y
$YQ|Rc
``dB30
r8)>-o
\]WQ %MK
X[4=Gg
De4$pdW
5oB><|
Qk@iD7Y\
+HWK%`
OR@mR"R1
F%uapS4
EFq62Q
\O16]uh
d U*\wYz{K3
%O*ej,
h7]X@[r
*xtZn7e/9Y
'U"[#_6
\Z?yL(/R
EJ>k}o}
~qQkBg([
PO.JU/]
]e;r/S
,-W}hqh{8
,P(Li?
gOx;\.
do4aA|
_Mvd`r
8L~*@,
EP/PI+]
;^&DTl
rL+;:y{
#af(EA
0o74ci
wvpm{K}n
Y{T#o`m
[y\ 6f
>v7P^zP
[A^wG
"PBl`8W@
-jg:o'
3aNS]g+
Am@]dT
)K$\?T
0K>HPj
<<b_(I*
?JKaJLM
%4hoM>
(prw'~"cq
/2^fe
9wpr(<
k%NlF;
*K|!]Q(}!
(@LvQ)
p:uuF>K
gSNU|m
"R1kd{
!fva/Lw
27Q\yY
*D:"*y
_ArDW\%$[@o:
,iF)!#
`p%#S'
ILS6t7B@
og](7e
k`sJ;H[
IW+4@h
{Wrz= P~
D78Z4(tO
`5TxH|
/G`Zn=
Y!N3:I
B=Ns00
z@If>^x
jkrg&NB
[mn2+& ;
BuAUyHP
Ua(C#3
02CRJR
]O16UQ
C,m/wm
{{+/bF9}
Ic}@ub
v%j,&{
d_D`3xb-
8]x)e?.'O
+Q'=F.O
2hwcdbB
S@-6Pr0
\"O&@}
vo|vO=H
+#lFcUE
]jF98p
%_1q~7d
]z; U5
NaQ;@[='
b&dg'm
Vc$$(i0
E&xOH%
+7QQj2
ZHB6uS
]~#G0R
^2BpaKU
H=?{iF
52R8N
%YW0~FI
^iogE+
ILIs>{
Th(B.o,NJ
}"n|.'
c:'/O9
NT"gtY
Q L6w%M
'CXL@(
M?Qz^<>
<N]F*]
u$;/Hf
6V00Uj%b?9
g0_jXIG.
&`Nj`6kY
;QiGDW]N
s1nKZ/
#wFg@?
qhZ)zL
3I7^FJ
?D#l'3
V5wmpr
Yod[dt}8
#fFG,b
y^>>sQ
HHLvly2
bXKCY&HZ2)
4ELv,7(;
wR]8MP
NKQm$,
H2s)t`
/M!vRA@
;*8kDF
UDKt<x
{[C 'N
yOEltRA
lw{N1n
BJO:VYnZ
?Tt%PO
":)a0Y
3*5Y#{2
JT=OPa
X#&Kh*1
&rw3:=
A*7`E}d
FrT(<D
E4)zq6
1#fuUx
1, qa'
PAIH8[:eu
6[th3'n|
>S-57x6
qK[+G`
^8PCpo
*]ks&N
zl(R\z
(LLNy.
b&fgP`O
.l{7:F@
KVV!8(
{FO{[[L;
AKU:}&
L^5II^
?l`TC>u8
<hzT;Q
p)Gu4r
U$Ix86
zxZBlv
L/EM$:
YDS_aLd
Jv#9vG
H'OqvT
o.32&$<~w
lDbw@M0
i/;qEf
u?6u)I
OP*#}3/
>$.ZKm
)MP8,^%
2D!~*<
W+9%4!
3$\64 gA
r30_d]
QJXI8f{v
BJolpXL
>XgKfn
{o**+
W9}Y>oN
,"6o`.
u:>2"g
'B h+'2Q
I='G#qB
MYkm3VpKOq~:
o]10ve
<ny|8V
HvVA$i
XXD\:?v
)E-zc~
`OMpkG9
#o@"X*S<
@R_=+T;x(
*tKWc]m2
wh0.Ad(
m0y.Ts
"+-jvA
]EOH3i
'~mkO_
A~gU"_
l7iu,q
e Dm%l6
p1Kan^
[YPRrhH
?ZM\v
`t7sDOa.
_~Y)l3
yq?E'E
6sZydr
`:PP A
uB0B.n
Y5EqV1
u{)Ep-
V_zpl)
s;^$DR@
Q9]|7K
%UTMvq
XB%/Z[
!CBl>~
?=&A)2
9@fJ(HY
oI^h|Y
NSxr>/
M)C5u+mV
gd%W>9J
")axFP
mYdn~F
QJyDZx
$SX@@J
rPNcaS
dhHkORN:
oLl5ra
!u>t~2
6.^7+rB"2
KoLDnU
oc@Oh
=h$*r~
srOX|
.srN<xA(55
#Qgp`X
ng?Ife
}"S0Po~
S'>WRG
jQ[<Sb
|L<LF8
+6xC$:qy#?
)'e+.o
g2_w?
qeWY3*
qy<Y-9
>HZY)l
=[>tO2
LU=bA/
Tp^(oI
^:IL01
_gNj)C)T
]b=Cr~-QBu
Ru9;e6
U>r|]C
v7C7$+
zh:#I&
h)P8yaV
V_HR9|
9PY;\:
-+d!C+
r3E7EW
Y(xK`-Q
tMqFP"^
av:j<E%
SG0ARZ2
mqc2*-e
+C^h4x
~VJIS,
K0<tTt
a#\e"v
'@EyBx
Ie;U%
$68|=G>
V,]l76
rpdbL~
Om.h0|
b` 3*I
>8`'mC
Mw3UNn746
O"qN6a
\;B|e~
cTNA9s3
m+|;!&
sd9)
[WePeNP{
ye"\fl:J
@V07Y*k
5DD4zCC_
kR:Z%p
??^ O:
xdIXC!01
ob@yG'#
(Z{.sLs
Tf::'
]T|enK$7Vf
DH7WF<,(
[e3lBa
S'wc8My
4pHUQ
6(S`@%>
?ETm=}d
" Og$r
KO":u:v
o"ZdS
K4Y<YU
FV'Sjr
*U}>;k</C
m/x}eL
=1uACs
LVOXHhq
/p>[%/
f4AVAS
73"0yty
26A{-!C
|];8,=
9Rj\Gk=
_?(#t}x4/
AA?o4=
p#vWoz
E[Mm5d_G
+J^K40
~.vS.)
MaX4Ei
a)Ab&V
$Bt4RN
wW{-]h
%,6k{%
vQ\;6X#
^@)mjA
Wj}x)]
oJ%'7M
GY>5z?
j0?eaj,d
_73k};q@
*B9fs:(0
!s?;]f
;YMMQ@N
*9[I'T
,~<L`+<
@MX~#[{
@]~,4M`
7R{@ni
?-4y}<
|ZrmoJ
#0\Je2V
XFp@Z/B
iY}O+z
n$W3|}
,2jP]/
K~`#MDR
\_/A3_
Y~,|P=
ga>G"I
AIfusyA3
FoPmxo}^<
!MhGKA&
>*\e7k
]q@ROd_
.F=_A,
SejEM6
k=nKxZ
pj/pVR*
{[RzEF
n{Tau$
".G`)
|J59#&F
_*s'}/Ry=
}|hOsC
<W&{wQP
JI6(W;
7~|H6W*
sxw>-F9
sa9u3~*
]L;i'
1lLn])G
y3pHJSm
&R5lPvFih?
)YQI/5E
]MUmIc
]j Jyjy
\i5$(h
,.kp5,
w%'H9$
G&@f{`
<@u0}2
@)!g-6
:t(Zh]
0}#4N,
X-p&}J
RdGkf!
2b)wrd
Hr]P8v
%'sD)7f
:<808~
NGzBZ
h:N57NR&'
H(.[M<*
%Hp1kR
Cls/[<_
c@|h`(
h9:UA!
f,fMlb$M
d^`<Nb-}#m
7_};3h
{yA6CdQ
F,y0V-R
[PF5<
\M@G6@MV
u${u45
gE&m]Y~
>Ev+(\
_#[KL!,
*^Nws9
G3!_4a
*GZ1fRdQ
=~>ojY
1J*,(
nGb@N_
lJjOzO~
QvW=t*
0gQ7x!
*Ev#d"p7
P`"pL
M$>pIt
*X p]_
C#9+jQ
IUt~gQ13
*:U7,w`=bI;
L0,0Zj#y
dg9kln
q(<}>p
er$9CpA
hCyOI'Ri
#Y<*09L
[yav>@.Q
cvxLr5K
IX"NWv
xdrM#L
x][/U5A@e
byG;jKc}
^*~<M>
<6OMSvh
Xmw3k:X&r,)Q
-PU3hnP+0
j*rJylho
o*:IQN
~l2I"
5:Fr~n4
@f2uXM
s>"c!DR
<bqi6,
*[x!a(
!}e2NJ
CX3"Ig
=t2x/MUV
(gJ^((
>'YtTSd
>'=#j}
9[<S-od
TD 8p(
\8j_#68d
"KFiY=gK
l#J;@N
LrH~:O
4uD>zF
Tzn/(D
NQE]$Ge
,act#b
/z}jS`C
.6)}]`
x>\!ZY
C/OV)X
5ikTkz
Ib <Jg g
-LjDfF
qJ\)'z`
?7uZ#(
ABYyW4O
@W2bz_Y
~.PU*
Y2)6/n
vC%Zdg
Uh)(Fe
3MVfs;0H^
F#>chlU"
G7{K+r
k51RflN
Zm|qQz
cm:Q7o
0+N,T>
D-pQ_A[
TQb{dVkw
rPka@W
w?qZ,!
>7da*
NK_"6}
y{y5n2
pxU)G^
\5x"dv
ycEQ6LUm
q3mykZ
9qC|ro
bcGz
P+(#D|
sy8_7i
aW.%T
m?"3$e
d^;DOv
!]Y{&x
e*0|cl
?mY@=%s&
'd[[D&19
)&4ZwX
+.p*&Q
JUVmkEs
Jebya
IzRdW|
vc)_QX
=n&v?P
]plT9
dWN]xB
@SBhfza
Pu$k}:
q:8?8k
p7Fa=67
uOD;)*
csFWv%
@q}co`
g@tkqw@
&D:?4cb
lX]POj
V83#BQ^
82Q',rU
p8x!In#^
~*dckE
lNwCtF
ix:h3mz
Z8}V1G
(NK]9]
P|L[OjB]
PR=U#
l{_,rw
"v6&$|
,.'"Ym
|*]+o=x9
gCBM-5
jq\2U3:
i\BC'}
(|$fbJ
B99B9>
V,K}/A
3lN#K,
E}pvUl
YN.;""
D5KYv9Z5Q8
<N;p&O
b(+ngv
3hW|\5E
:LE>Y&
d(Y.x?0
keCl0H
(s$z 9
FdXxO`'
!c<5}C$
<K%ba#
Rq)[]o
kvk0n:
)i)Z1-%E
$M(k1{
3~&\9d
Kp9HG6
?:g`h1
r3KH`/
5X1u`C4S
3@pgfIW
uM-!YIC
l[<~wB
HO*@&Q
i\%w%|s
X^(/0Q
p]`QUu8
t~*\(V#
aH7"xF
e w_zb
Cwk$]GE3
J4Z]u>
H|GLc8`
m7fiTz8W
|g@8S3
,h{l/]
&hT!-;
VNR)Jy
y63#:H^w
H}i+fX
#5G[ G'
,P+LnGq
h$4|f
R;|E -
9y?8g,
s:4OZQ
Pxm-o>
/\b0-S
4;"q0|
ArsNZ
Y[KsC2J
Kl4c/n
c]O7J|n
xNyrODR
pK6(f
Bm@8fyu
LN"g\P
IsG)=9
U~L!TG
S6,pklW
+_\7Rx5{
W&fgGL$
-cxS@[d
"5]Kos
RDPDLe
jm(/n(
,i)oru
11<~$\Nf
!~H5aS
rFp7qN
B+)Y?~
FE2h..D`
-k9*3
?CD@JB<
.1F)CCtn
h<JyQQ
x{ukY+
q1h<@f
Y'=\8m
GYD0|2
^bT?$;z@
`8YjJ^4
#szK?hY
owo20]f
o^]gOv
Z~nA,j
WFUA]/
'Q3Ht#`
S7L=$A
bQMBw
R/NYac
M*R^^n
o!3?QxHuI
nRuI;`
?"%zEy(C
V[td%2
,ZjIyT
}\#*iH
c"]||7
EuhK(X
p4ud>j%
U+)_4r
On,hCk
LX>ZC1
R/haWys
t4{}]-TR
SUuyh/|
[ANyUw
HXR Qe
`g3B;d
~]m?9~
uwn57
S$>kP|
q[b8O
nAr&,xx
'bpANIG
LOPo"}
!5CyHI
>TG>C!J
RG^ud{c
F)zV&;
V,A(K@
}U@4vr
N2h/O74c{"O
y{S0Ky
=<{O*~
UY2E7B
u^ONw8
YvZZe!
OMCH#~Pxo
^Tvn$t
VP6/`J
0dHZyi
wY8Q'{
{${axn
X/@ZuC
FSo']U
MW`=`{y
u37\LZ!r
<k4C_.`NI
|h)lhj
LUqq-?
ylKtrR
gt%WYM(e
1FXZIed
be~<zZ
MvS_d
~nukbRt
f\V&,l
E~>0V(
clmqHE
%;/4`:
4if#sg
cW`BR`
n+Et$F
q#YGfb2k;(pJT%
N-vl1A
z>/jnV
7NPvMF
M;=Ve[
lJwZ)b
.j#6(lW
]7DC_\
949S?\
<$JZ[9s
+P]c<p
;o](SW
x!@x0
g%w@2
G$VmH?
,*sdk\
7Uf3+@
~2`UYf
OJ#~{
-q%'5V
_>9<::]
Xl2+HF
D!D@ic
d>8a:%
LVE*l%
7:6Mib
:}d+ro
<i&Lk9
;D~,M#
/b*1}~
"Y5-%j
7bO}K!&
t#M~|S
*lwi*W8
'?Me8v
AzY;5O
hZEhL8
jf>}1F0
%=]oUVmR
_?qhj`
y{4G+C
ygh9#D
[ QB^8
D4cux`%
<|h\[Y
vXTj[U
$<n|'hL
D5C4axiRQ
8H6k<8
u:I\71
co`gKy
q2+g9[t
CbO2(~W
p2YN-G
>cqj}\
;77LlR
6F5icYW
dxeU5sq
<rjoai
Z[E9$b<
vp5d,Q
=sG95v
FC.bY
\G#p:,
3:bv{.
FPZ1#c
:[BVI9Q
Q@c=3%
"-g^wM]
xVy>u1
P\G>X=v
z_rQx=
o?5+!z1]dj
%OQi=x
)rEgkU
s (O$>
Q%Jbf3
yPfb_6
l~QV:=b
EMq#9!`F
_XfD1ymn
Yxq+WaljD
eCMgfSwr
}x*AC_B
P'9Y2']
yLHzQ0
}$#0p_H
y1GR4{a!'
,4$!@{*
Lu*z)z
h~>V)
qlxv``
%)JZi7T)J
~>)Q?+h
i=:(Ji
><Mm"
|bSkuJ[
a8a5A
3;9330
1399;;
swwww77
wwwwwwxw1p
w3w717
uuu7,M
'xxxxxxxxx'
? uu@q,
CG'''''''''''
GGGGGG
GGGGGGGGGGGG
? uu`f.||||||
|||||||
U? uuwf.
Y.......
.....PWv
Z......|'2z
GPfYZ.ZZ
ZZZZZtx
ZZZZZx
ZZZZG\
|xxxxxx
q44ddddd
9Oii@&ml2B
ii@@@@w
ww@@ii
#######
PKG6Y19
dwH&KG!6Y#.A9))
QP!Yh:
f))))))<`~xU
^^^lp4
rrrj:wEp
rrrrr0
a////fv]
7Ceffffe
aaJ7Ja
5|=\-mF FFv
55555*
R:ssssssss1
\\\\\\
A$\\\\\\\\\\\\\
,\\\\\\\\\\\\\MR)
S\\\\\\\\$
7\\\,)C.
=6&[9#
P3DD;>P
Q(YY[((*
H5DVS\\\\\\\\\\\\\\\\\\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
type="win32"
name="DelphiApplication"
version="1.0.0.0"
processorArchitecture="*"/>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
language="*"
processorArchitecture="*"/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
user32.dll
GetKeyboardType
advapi32.dll
RegQueryValueExA
oleaut32.dll
SysFreeString
version.dll
VerQueryValueA
gdi32.dll
UnrealizeObject
ole32.dll
CoTaskMemAlloc
comctl32.dll
ImageList_SetIconSize
winspool.drv
OpenPrinterA
wsock32.dll
__WSAFDIsSet
T#`{+<
"% u&C
2:&Zh
Ap licat
d,anl
?ExitP
USQWVR
Z^_Y[]
BBABORT
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBRETRY
PREVIEWGLYPH
DLGTEMPLATE
DVCLAL
PACKAGEINFO
PLATFORMTARGETS
TFORM1
MAINICON
VS_VERSION_INFO
StringFileInfo
2C0104E8
CompanyName
FileDescription
FileVersion
1.5.9.200
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
0.9900
Comments
VarFileInfo
Translation

Network

Hosts Involved

IP Address	Country of Origin
95.101.134.56	Unknown

Geolocation

Destination Country

Unknown:: 100%

File

Type

PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed

CRC32

5939C1A9

MD5

0f776e4323ad9db11ff38f2eebf9ea89

SHA1

1918e0dfb419f2496b81ac214b6610461b82b47b

SHA256

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff

SHA512

1213f44fd82203c9c687edeec73c2c7164297462981978e410ea215b3b4e2419f402f267e6d3397b03ec9e0f4cbcf829cd82bde233cbe39aec80f651677f16cd

Ssdeep

24576:c6XVuqBF2AaPuQqMe+8OYOnDur1oZIR1:czCkqMe0YOnS5PR1

PEiD

PECompact 2.xx --> BitSum Technologies

Screenshots

Behavior Summary

File-Read

C:\Windows\Fonts\staticcache.dat
C:\Windows\win.ini

File-Written

C:\Users\Virtual\AppData\Local\Temp\Virtual2.txt

File-Opened

C:\Windows\Fonts\staticcache.dat
C:\Windows\win.ini

Registry Key-Opened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProductId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409

Mutex-Accessed

I10TM2835DJ3WB
Virtual5

Processes

Process Name

PID

Parent PID

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe 2700 2652

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1595245685.74	2	NtAllocateVirtualMemory	process_identifier: 2700 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 1 base_address: "0x01d30000" allocation_type: 8192 process_handle: "0xffffffff"	Status SUCCESS
1595245685.74		GetUserNameA	username: "Virtual"	Return Value 1 Status SUCCESS
1595245685.74		NtCreateMutant	desired_access: "0x001f0001" mutant_name: "Virtual5" initial_owner: 0 mutant_handle: "0x000000c8"	Status SUCCESS
1595245685.74	2	NtClose	handle: "0x000000c8"	Status SUCCESS
1595245686.77		FindResourceA	type: "#10" module_handle: "0x00400000" name: "CG-CG-CG-CG"	Return Value 4259976 Status SUCCESS
1595245686.77		SizeofResource	resource_handle: "0x00410088" module_handle: "0x00400000" resource_size: 239935	Return Value 239935 Status SUCCESS
1595245686.77		LoadResource	pointer: "0x004100f8" resource_handle: "0x00410088" module_handle: "0x00400000"	Return Value 4260088 Status SUCCESS
1595245686.77	2	NtAllocateVirtualMemory	process_identifier: 2700 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x01d34000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1595245686.77		NtFreeVirtualMemory	free_type: 16384 base_address: "0x01d6c000" process_identifier: 2700 process_handle: "0xffffffff" size: 16384	Status SUCCESS
1595245686.77		NtAllocateVirtualMemory	process_identifier: 2700 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x01dac000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS

Showing 1 to 10 of 579 entries

Previous1 2 3 4 5…58Next

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe 2748 2544

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1595245728.84		__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x401016", "exception_code": "0xc0000005", "instruction": "mov dword ptr [eax], ecx", "instruction_r": "89 08 50 45 43 6f 6d 70 61 63 74 32 00 13 5f ac", "module": "8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe", "offset": 4118, "symbol": "8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff+0x1016"} registers: {"eax": 0, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 4198400, "esi": 0, "esp": 1638276}	Status SUCCESS
1595245728.84		NtAllocateVirtualMemory	process_identifier: 2748 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: "0x002e0000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1595245728.84		LdrLoadDll	module_name: "kernel32" basename: "kernel32" stack_pivoted: 0 flags: 0 module_address: "0x7dd60000"	Status SUCCESS
1595245728.84	5	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dd77a10" function_name: "ExitProcess" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS
1595245728.84		LdrLoadDll	module_name: "user32" basename: "user32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1595245728.84	2	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dcbfd1e" function_name: "MessageBoxA" module: "user32" module_address: "0x7dc50000"	Status SUCCESS
1595245728.84	2	NtAllocateVirtualMemory	process_identifier: 2748 region_size: 1761280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x02180000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1595245728.94		NtFreeVirtualMemory	free_type: 32768 base_address: "0x0cb80000" process_identifier: 2748 process_handle: "0xffffffff" size: 3178496	Status SUCCESS
1595245728.94		LdrGetDllHandle	module_name: "kernel32.dll" module_address: "0x7dd60000" stack_pivoted: 0	Status SUCCESS
1595245728.94	36	LdrGetProcedureAddress	ordinal: 0 function_address: "0x7dea45f5" function_name: "DeleteCriticalSection" module: "kernel32" module_address: "0x7dd60000"	Status SUCCESS

Showing 1 to 10 of 844 entries

Previous1 2 3 4 5…85Next

Classification

Indicators

Yara

Static Analysis

Version Infos

Sections

Resources

Imports

Library kernel32.dll:

Library user32.dll:

Library advapi32.dll:

Library oleaut32.dll:

Library version.dll:

Library gdi32.dll:

Library ole32.dll:

Library comctl32.dll:

Library winspool.drv:

Library wsock32.dll:

Strings

Network

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Read

File-Written

File-Opened

Registry Key-Opened

Registry Key-Read

Mutex-Accessed

Processes

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe27002652

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe27482544

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe 2700 2652

8e9b60a1eaef572e2955edf359350aadea5a86cc122e5d152d094cc6f063edff.exe 2748 2544