SecondWrite DeepView - eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4

100

Malicious

This predictive confidence of maliciousness for this sample is 100%.

eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4

968.5 kB

Size

2020-09-18 08:49:08

First seen 38 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

High

Virus

Low

Banker

Low

Bot

Low

Rat

High

Adware

Low

Infostealer

Low

Worm

Low

Spyware

Low

Indicators

Expand All

DeepView™ Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Anti-Debug

Checks for the presence of known devices from debuggers and forensic tools

Checks for the presence of known windows from debuggers and forensic tools

PID	API	Arguments
2536	FindWindowA	class_name: OLLYDBG window_name:
2536	FindWindowA	class_name: GBDYLLO window_name:
2536	FindWindowA	class_name: pediy06 window_name:
2536	FindWindowA	class_name: FilemonClass window_name:
2536	FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com
2536	FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:
2536	FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com
2536	FindWindowA	class_name: RegmonClass window_name:
2536	FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com
2536	FindWindowA	class_name: 18467-41 window_name:
2536	FindWindowA	class_name: FilemonClass window_name:
2536	FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com
2536	FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:
2536	FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com

Anti-Emulation

Detects the presence of Wine emulator

Anti-Vm

Detects VMWare through the in instruction feature

PID	API	Arguments
2468	__exception__	stacktrace: [] exception: {u'instruction_r': u'ed 64 8f 05 00 00 00 00 e9 ee 0f 00 00 52 ba 01', u'symbol': u'eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4+0x8793f', u'instruction': u'in eax, dx', u'module': u'eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe', u'exception_code': u'0xc0000096', u'offset': 555327, u'address': u'0x48793f'} registers: {u'esp': 1638236, u'edi': 9055538, u'eax': 1447909480, u'ebp': 4117737492, u'edx': 22104, u'ebx': 2111312053, u'esi': 4748130, u'ecx': 20}

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

PID	API	Arguments
2672	GlobalMemoryStatusEx	N/A

Av-Tools

This sample is detected by clamav as: Win.Malware.Zusy-6622765-0

One or more AV tool detects this sample as malicious: Backdoor:Win32/Xtrat

Generic

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem

Expresses interest in specific running processes

One or more of the buffers contains an embedded PE file

Automatic Sequence Detection maliciousness score: 56%

Http

HTTP traffic contains suspicious features which may be indicative of malware related traffic

Injection

Executed a process and injected code into it, probably while unpacking

PID	API	Arguments
2536	CreateProcessInternalW	thread_identifier: 2676 thread_handle: 0x00000164 process_identifier: 2672 current_directory: filepath: C:\Users\Virtual\AppData\Local\Temp\eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe track: 1 command_line: filepath_r: C:\Users\Virtual\AppData\Local\Temp\eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe stack_pivoted: 0 creation_flags: 4 process_handle: 0x0000016c inherit_handles: 0
2536	NtUnmapViewOfSection	process_handle: 0x0000016c region_size: 2015166464 process_identifier: 2672 base_address: 0x00c80000
2536	NtAllocateVirtualMemory	process_identifier: 2672 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0x0000016c allocation_type: 12288 base_address: 0x00c80000
2536	NtGetContextThread	thread_handle: 0x00000164
2536	NtSetContextThread	registers: {u'eip': 2112356804, u'esp': 1638384, u'edi': 0, u'eax': 13191280, u'ebp': 0, u'edx': 0, u'ebx': 2130567168, u'esi': 0, u'ecx': 0} thread_handle: 0x00000164 process_identifier: 2672
2536	NtResumeThread	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2672
2672	CreateProcessInternalW	thread_identifier: 2724 thread_handle: 0x000000d8 process_identifier: 2720 current_directory: filepath: track: 1 command_line: calc.exe filepath_r: stack_pivoted: 0 creation_flags: 4 process_handle: 0x00000120 inherit_handles: 0
2672	NtAllocateVirtualMemory	process_identifier: 2720 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0x00000120 allocation_type: 12288 base_address: 0x00c80000
2672	WriteProcessMemory	buffer: process_handle: 0x00000120 process_identifier: 2720 base_address: 0x00c80000

Network

Sample contacts servers at uncommon ports

Packer

The executable has PE anomalies (could be a false positive)

The binary likely contains encrypted or compressed data.

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2536	NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 process_handle: 0xffffffff base_address: 0x7df0f000
2536	NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 process_handle: 0xffffffff base_address: 0x7de80000
2536	NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 94208 protection: 64 process_handle: 0xffffffff base_address: 0x00401000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x040a0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x040b0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x040c0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04190000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x046b0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x046c0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x046d0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x046e0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x046f0000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04700000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04710000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04720000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04730000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04740000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04750000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04760000
2536	NtAllocateVirtualMemory	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0xffffffff allocation_type: 4096 base_address: 0x04770000
2536	NtAllocateVirtualMemory	process_identifier: 2672 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0x0000016c allocation_type: 12288 base_address: 0x00c80000
2672	NtProtectVirtualMemory	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 process_handle: 0xffffffff base_address: 0x00c80000
2672	NtAllocateVirtualMemory	process_identifier: 2720 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 process_handle: 0x00000120 allocation_type: 12288 base_address: 0x00c80000

Creates a slightly modified copy of itself

The following process appear to have been packed with Themida: eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe

Persistence

Installs itself for autorun at Windows startup

Program-Level-Features

Contains obfuscated control-flow to defeat static analysis.

Rat

Creates known XtremeRAT mutexes

Creates known XtremeRAT files, registry keys or mutexes

Static

This sample contains high entropy sections

This sample contains low entropy sections

Anomalous binary characteristics

Yara

Yara Pattern Name	Description
IsPE32	No Description Available
HasOverlay	Overlay Check
HasRichSignature	Rich Signature Check

MITRE ATT&CK^®

Show ID

Enterprise Matrix (Tactics and Techniques)

Initial Access TA0001

Execution TA0002

Persistence TA0003

Registry Run Keys / Startup Folder T1060

Privilege Escalation TA0004

Process Injection T1055

Defense Evasion TA0005

Software Packing T1045

Virtualization / Sandbox Evasion T1497

Process Injection T1055

Credential Access TA0006

Discovery TA0007

Security Software Discovery T1063

Virtualization / Sandbox Evasion T1497

Process Discovery T1057

Lateral Movement TA0008

Collection TA0009

Command and Control TA0011

Uncommonly Used Port T1065

Commonly Used Port T1043

Custom Command and Control Protocol T1094

Exfiltration TA0010

Impact TA0040

Static Analysis

Version Infos

Translation:: 0x0409 0x04b0
InternalName:: Spy24
FileVersion:: 40.01.0001
CompanyName:: Microsoft Corp.
LegalTrademarks:: Microsoft
ProductName:: Remote Service Application
ProductVersion:: 40.01.0001
FileDescription:: Microsoft .NET
OriginalFilename:: Spy24.exe

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
\x00	0x00001000	0x00032000	0x00017000	7.95973685056
.rsrc	0x00033000	0x00006d4c	0x00004000	7.52345432813
.idata	0x0003a000	0x00001000	0x00001000	0.220958014954
	0x0003b000	0x000f3000	0x00001000	0.0421692483801
nhgxrnnn	0x0012e000	0x000cb000	0x000cb000	7.86137014116
zgwhklkc	0x001f9000	0x00001000	0x00001000	0.712098118577

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_ICON	0x001f7e3c	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x001f82a4	0x00000078	LANG_NEUTRAL	SUBLANG_NEUTRAL	MS Windows icon resource - 8 icons, 48x48
RT_VERSION	0x001f831c	0x000002d4	LANG_ENGLISH	SUBLANG_ENGLISH_US	data

Imports

Library kernel32.dll:

lstrcpy

Library comctl32.dll:

InitCommonControls

Strings

!This program cannot be run in DOS mode.
.idata
nhgxrnnn
zgwhklkc
_j.: yI
Lmzev:
_oF7}VY
vDc/fU
!F[f!r
3p#m*Pr
Dmy"Rl+%NO
`NH[H9vS 1
r}XN^:T6
z}}8#B
OY@.oJ
W\F}Fg
%oR,{d
hE0HZN
64N|Jn
w}iIB^
`\mf@K
G,a._H
nNZ9u:
h@<(Tp
nR?blr(
,?:8RvNu
@>:I`RAB|
W9Mb$ca
6Ilg8}
9s^$ycZ
P*.&X_
%hsP6nvgF
yE`<}
/:+~9j
`:|\G6
1hnN&4^
#9R^N(
IYHzXC,
~gE%p`5Rs2%
F.&W7zD
\u+V~6
k:.LGsQ
HhjNtD
bIL9'x
']?B1}
?r5%KE
<FcQz{+
?.\UcJ
^>8$,TQ
aT/9\;
.|PN>3y
]tH.FZ3
hi0u*{
Ro~m6!O
C="`=?
M|y^RA
S-".ZG
PB8,{F(
g0%LK#c
UT*-A
bVCNB$'%
uXDRNi
Fg9%8T(
s3(_,V
$gmk5KN
`G.DIM
SU?$kN
<#C3gF
bz$yua
C)WFl\
n_IU"\s
RXDkM,
lq^ ?y
M?EH@7M
${:etA
20ue'}
$HH\IK
2zJQ+,
+QUJ5oz,^m
WxBJ*Y
l"IkmW
'|^gKw
f%P.Xp
AzsB^wR
n|>:Pn3
n(~uTR
ngn|zm)
%$d@KW
bCSoGd
Q(p&]yQ
fBA2|W
Mu(40j
-lz7Cm
A_R_j`
K:IcM:
G9%LK&
vV$FMi@MNq
MLzVQ-
o($/L)g*L
Bb-n)d {
"G@r.V
tBPJ7E
fZ$[qsE
Kbx Ab
,u9$Z
H!gqyX
ih(,Eh
>8c`nP
5dOHN
NjHW..L@qY
.n`y&
+llCM8
k|z2'z
LG^WC
3/hu2A
9\h%|ht
ft(@~O
NVj-
xAIxaulj
I:Eu.pl1
!GrWtIo
I4{(>R
:miii&
bB|FDn
B/`(lx
<6Wum'
w49&\X
F>$orL&\J
:lyT+N
F ()'__
n^bDCi
zy6c:xW
VG_k8p
>UD/Fc
1@O`0&
=g`O C
4U{d$g
nmZGnJ
UgiABpz
E{>UD
3,$q9F
J{](wl
:CR=nV-
0=pI%s
l(_f}<
$}jd+nK
cQX2qN
*1f|v93
~"|YN`
=dZvSk
zi\KGg,
p=&hN9
;_4p[7
kB]RMi
)r\Qjr'P
qO^G&^
KZGD."
-\B<x\
YP]J>r
F^LsEH 0K
`J(?\Wv
oHdBCbm
8C< R:
czH'Hq
^^Nu{B
d}%;P=
!adr ad
oR<^TV
oN<*TW
Oy$zH:d
vg8?+K
lk?JvjS
n;E|jM
#]<IY_
IDF+(Uz #
GGhn*P#
E&LNRt
48A+U`
d6$Q&6gdp
jJh6ng
1?\r;3
X;`"Xx
$~/<6f
"U~|NF
<2"]EW
Un|~+.
rNDT;fIb
`N@zgL
.jfa*i
N& 6Xy
VGLx']kf
*yW?T(~
S4j:cAe<N6T
zo?km9h
H\BIe
ol6FBNO
u6Pw}}W
$ZCu&U|
#A&/$^Db,
Xa"V<2
k706o4w
LP}+_!R
Js1n:5
;YF50Ef
#$ZM&
u}4(bZ
jV+%1N
^zn=UQT
ZZp=/~+
4)&~9/
,<8Y2F?$f
cHMtUL5|C
J}wB-fN
#n=+~~
#|K'YnP7ZV
5hF;$n:!
t! F!)
/x2e#b
Oc?`|y%
z_Lr.f
cV<mRBV
v{T<f^8y
\n=s"0h
="R?oupt
v8RS:k
;nx/D9px
9x*tTC
`V^#!J[d
;8}>8S
/WXN`t
_~`g&P
AOw%mL
'y.Qd~
~Et$dQ
EHA0PX^
Xo<unh
Nn&%}It
#$Xs2>TH
l:AZ.I
v0Ws}52Y
C&-yr&
YlLjwR
bn%ah_L
+RfsFV
@hQ<NoP
0`R]4]0
-fs6VXp
t1#7(y_
fsFV\p+
`NpX#FV
Y4J#E@
`*pD#F
QzT/ xo,f
X(S3D$
V88|]
| VoZU
]4N#ED
`.px#F
<kG"Y6au
Of)li3
9 |]+Z4
}_YWLf8+eT
hV<YQ"
}]CZ4H*
}_}W0fW
hj<=Q"d
9l|]gZ4
9(|]#Z4
9p]#F[
V+},l*6
1R]5\p
_8sU!h
LOJq~K
4s'7?
;t#Vt
$z;jV
mhO3;V`sx
Y]&3EHk
/r8lyF
)dlFQe
"e^^U
z%*]g5
|2;9WjP
nap[SH
%OM`8O
NE*n*7=$
7r6B03
I>wosh
?sOlP=
})YvtYW
Y%xHM2
UGZ0WET0
YgIxp^
((oIW/>
!lD1-
_Ptg)N
lstrcpy
InitCommonControls
kernel32.dll
comctl32.dll
K4V$JD<BJI
?$'!L$%F
[I<xg#
1#7ZLE"
6a,Ig
20<W]<
@!!g{;
/aRRNO
X(2C0c`
|M:,LX
@~>15b
XCX&cD
YihP6\
D;RO(q
1|#d&y
0d)"j:
pQmR(?2P
HTa,.;
6I4l_Q
-tPF-UBd
vK8 B
$\%E,
FG(DR&
8'^D4!
D-BdF
,5u(~PIH
P'igQ<
t-B|DP
{P)J.
lo`/:
i"T;q}
h0l)PU@qD
nGq&t
#4z}9s
v&l1`Gy
;9p}sVc
pTqs(
{2d:hI
@0[%XR
Q~A 6
=vp=b}
Sfp@.Z
8-piud
=>%{VJx
(2CPpz
?5,KS_
93W TA?G
hBIq0'
\^T1k|
/LXS@x0
QfgU'F
mxQ.T^
7G|L`U
]84G@:
M$M,Lx
H+i1 t
Gh'!7f
+ZS2%I{C
1I!U5`
^Juf+?
Er?uNx2
ZpcM1('Us
0Z%p?k
xH0xx*
W'du Yj
,N^?S
{~IYd1
_2'xA`
zSux0[
}^%:fs
i2OB
hPmw$X
o<?#a^Uh
4#XAF&[P
+9#oxJ
b_C B%NUJp
@0CS~}
C+/aUq
/3.kKh'
3xdR>%
/P]H|5
G1l,%]
Igw+e`
YX<.)J
yX!E;`
HhyhtZ413
uw0DHa
*]h"\E&
sSLd7'
MQ$QOZW
v2%Z6~Z
,Y UeQ
)NH`2@
R%Xd.@
,`}&Ph\Jr
\]SFJ-
~{$R:l
=FH1~3W
N8=5s+J
$@-$tz
.N]XUY
I^B?04-
_$'-Ke
S%q6PY%<(L
0`[fh-
(,5z/
y!Lyv8
Nbm@tA/
T]hgA]
lzy1^[
+:C/@1
K\gL| A
b,wfu,
h~J-Trd
h(f-_5
omCaB=%
JJ]Xe
A?8,U}
9ln?%~
Uh&QeY
2{I{ ZOV
<;[`^T;
_e$Ah
/I'pD%!k^|b&z
Vb>mZ_
hs~F<Z`
.SalOY
WQ+Ij_c
uZqxK~
eq?Hp
*3jV 6
Shb<%+npT,
-`-pS
; 5ht;
u3f<z>)
;&+F_
c b3~S
v~06\?
@'k5)>
gY-.Mb?
<^|CUS:
"_`Na(/FS~
"Wo&f%M
uycWV=0
ktxKZZ
S@4u%H
@p<JF5{
H&pZ>*
rHsA,
$y\,RTn
d#)F+9
~/P*qi
[qVD-S 0C
0KhtM
C{q[Z1
Z/@|[P
[hj5(\
p7{6J
FC4E0/y
4J]D[T
L%5B@9
fJTC.B
ByI5u!
[hUJ)'
WT0|akv$
J?h%!q
fI'~#A
%UEei\
mF18T^?'n
HAHf%8
h~^Ad@
4k^,V"]
VUWhZS6G
Shw>]j
e?0kY!
`XSjcN)
Rq%_jdW
Y8PMsK
5-*[NW
df8uLw
,!HHl?
C<Hp@@
hTQ^7f
!khj&v
g/hbK5
~eT&tXN
8>0ca$;
QAX@~~@
aP ;O2
`&y*Uc
iO1'U+
gf{'PT^#
}^z&=Z
`04o$K
OH4P2
2k!_('
h7_HV,Q
h8U$-NPZ
G SkM>:
9A-{K|
5Jn!:HR
a6o=O>
!xi-! |6A
qmtzJ"
T]y&,+
`+H52|
)u-+(.8c
"wtnU\:
Hbv}mX
8/B|h9
<J8t
-|yI9
b%x~^Vb@
,GY0f(
\OLI
-<5 '>+
&x.7ra:1`
,jf? u#
l0.KCR
".ukO)h
Lz{R.b@
`[mNX6
Ah%l'l&LP
-[4iUGH
%wYsS (o
QIDQ)K
1.[SMo
_,0aL@
@%B]~6n
F.1)VTvh^
D(wh'1<V
"B4Yhy
%\VsBk
yhc3qh
sqE@hxy
ZPRqZh
gQ_Y-5;e
Uh[y<u]
Y! B{[
u{-s$39
%]HEh3
vU)#{`&_
\`\h;g
!c]m*!
n`)orT[!
Od/-Nj
Ac5[1Z
&@PE$[
YIl{(^
h#D}4L
_/h~b/
vRX_^&hT
XhE"}f!
bf:M@h*
SA3O({
Ur/Mp`tq
Yh"R:`
H[!-vGx
C~{y/'
IR_wg`
c+%pW
0<OH7xN
i}d'z\
o0?h7m
Ub>cVP^
'_8+2h
PkQ{Jii
`z~o= c%
5O,IwS
EDHk49=
`X|)MJ
X8nL>h
3uV1`6M
d X}[K
]9 hqDz2
@{LkE'i
^XKj@
4[_^6z]
|iS2p]
GOe5v3
fW4A` yT\6
yG|zUp
w9g0:N
Cg w@x(
]]`_+c0
mbKWwf
QPh|[4
|0l(Zh
^-K_'#
x!/,F|5
UeC-;)`
V1j5B[
I}q5'uM
>fhBlvSA
-o)n'R
0x(@B-JO
LY%%J.Z
it^~j%u
@T[Ph8NBp
\`B:rk
:'BHp5
xX5Qg:
Z00Ws:
h-x9aX
q3'x2'
Ye`}d9
:0GO.s
+\'(CR
K$h}a1[*
YaBwpUNs
7F%GB#
Ml<-7'+z
tvWxVz_
Z^h/]X
cS4 Ov
!XhC,>
@ZhuL=
h^6^Y`
0mWh=?
nj1 lBNV
[Zhf^I
c#o^1
};!/<U
l]6qW@
1<X;zeV
H1`r#z
3y;;!)h
<=v>Si
NL_:N@
Qs=)B
"(X.Kw
fLJp''d
BlC!1jF
GB~/ly
&*`4iU
^iXRR
|; ?H)
N/@=^]K:
%Wlh_b *8Md'X){
a>N8r%m
%]EZi+0
<OYD!`>Nw
*'~d,6_
'\aq$
=/)Dq
dU:dwt
hI-'_0w0
T0OhTi
y5CA'w
y-z~Vs'z
:AT 2
dowq00K(
=RW:0Ud
b[I?Zu\
@-p.0{
-YAD&(
T%d,x0
R^4D/)
.}Detj-
_ $891
+;JGXCt>
6 y\_1
zT%\ZP
rj:v,e
FP/X')0#
w05-TF
J-h^|Zb
hY6PtZ
-}qUm]k
hQ;%/2
hwD.0m
5b^zCz%
[!`c5,>
#A~K``
YEky~E
h'v}V=
\?O%&H
ef/B?@
j"DDJ[
gM/Azg
:#I*1*
hNZ->O
`ZD#FXi`J
ju`WGVr
1|]D]
J%]w>Q
8W#c_`
(-6N`
S%b}Ri
2'9B$y
PM}Q/j
Y9v{J
DvoZ_s
drP`/@
b$fo<
OZZ*}R
aVOAhV,?5
vhbk5R
D1XR@
\F<*N@b
h1|_^
tqIbVN
V\@od]V
-'('jSt
nr6SbY
ak.5:4L
h&Hfu}
R'][1e
Gxg\\u
@qG8h^
hu#'wnU
XY{@WWUh
}(USER32
ADVePI1
- Vcs#
`oA\.21A
UcX(_*~
yubd``
(M1k
R!_>H,
k(7g/&i#
3`G)Rx
6~u`l$&H
p((4;y*
*@5,:pG
hq63Sx$
S$\as03
F#[0.L
a8|5",p
L[tRV@0
Hts&%<
yxp(Lhj
T67? g
dA]N}ptS
|`O9?n
XAL60Tv
E`CH4#
cKg$ba!
qCq+8@
amA]t
,SJ38a
E r1A&
]<<:so(
WU+/TS&
JhH!ZjB
'x.jMT
R:/:>V
h4gNr!
,s0iH!<
7d0xzI
7}n s0
H0v1
avrc0z
,=N{FD
dMl|H9
[zL:,&
Of+Hx4
<xpB(7k
07MT<e4
i-jDflM
z@aTYQ
6@+~.(Y
<^7 @A@f_
*%#U:KV
1hzu2j"
!u+BLh`
8Ehqi#r
Z`>9m}
D-`z?&K
D`Tn?A=
j(VLauMo
=Ig_<Z6
O[0Jh?6
5;`W$>
Mht;V,
+gVa,h
R1\UV.
\H3N61
zB%d!DLP
Except
ion I7farmaG
sfwYr
nCTRL+
T;%UGU
E&?`Z
8;q%Xwn
I9$`('Q%
x.JG >
UWj@Zm+
13Y/`.
ZhMNuK
O@_UPh
Q%tmK7a
sT^h6i
jhz[M04H?K
i~UtkG
Zj:H,01V
s=O| =
thO^[1B
"X)3/8
-`i@OT
Aj|+:N
(\UnijU}S
vI*jL^
KQ7k44)
`J9-oM
")rp1{
%V_]^6%
a5+oRA-/(*
xiD]sj
KM>Q P
g ,;[ry~
dq`Q t
BZsT~#
a>9Uu}
>&8;<%
WzjH@E
:h%QS`
h+*gm
qxK.!m
@Z~N+t
>}B#`i
0ruNO[X
Tx@9A*
_|/ia$
rQJx'G
%TU`R5
Ra%1?
l$k<PX
35pId!
5p3\0u
5C*^K+
-cXNDY
C&b&=}D
`_E@Gx
'>Fu D
K@Z`,@
snMy&,kBy/a?
a^hq^H
ZUs@/u
`LTd,i$X
Z$]SPL
Ov+$0A
@p}~|(
0]KP,E
sS(9<o
TDU_p1
WDY,y_
8E_6DX
RmL`t"X
<"?^H.
?Ja/`#
up*JG"D
-m`qdaX
a4E+/l#
XU81PL
A`~n7|
F HU O
>:A[%H
:,K"-z
%q.xT,
D0Eg!x{
60Yq~n
5= Nu%5
PqO%m#
(R@\_w
=LfF2IH
:wNa5qI
<`BNy
V8*A6c%0%
x `8L
r~sx@L
P$)R4@
Df3'~$
&!$9=
'Z$o_q
;iWV?v]
v \q,j
"Z`*`h-m
q-xzTA(
AZ 0p.
CES|\U
aZ@B&-
^p3|%_
j0(t\0
d!eDit
|~ltF#
N0|UQzL
V:f\X`@
:z"L*s
PLI-9
>=& 3E
0N|ayMZ
xQ-zyc|
|^}%[,
^fR,\0,
$IzYT
t[.0Lg
1V^4ZX
H?FbxSA!
i2oP@~3
71Pvc/
1H}xx<O
BCk3[)z
]vlcSM
awIH^[Z
+F:^dz`/W_
x!I`D$
i{_xQZnS
tT%{~d
B5Y^`@
hrJX3
/NDLC'1
hF+LNY`
}QHW?*.
V&h1R!3,R
'*G&4qQ`
$POA3_
{61EhbN
=<?C;T
tJj/ty
D%&,'
k0@*}s
S$zjhvF
FK@TND_K
4`q+vH
H{8Ozl
|Dj`l,
t@o@ou
.v)7V<a
yG24%P
K~8^Fl
HKDjl
4%'gYH
Tl7j=M
,!#'&;e
We 't(@79?
zW-oks
EW/k$#
wy@CQY/
+lk-d_
u;N2s9/
`aPSR`
dek_0F
E_A)c%
%0{6J/
GY^d<B`
kn<dd[
i(/9B:
pC*b!5
TmI2n\
TRD7Y`
yd%b!qD
\QQWov
sX&|ad$0%m(
IWsvpC*,O
=QL)@J
#2 JjM
THu)T"
fl%RZ]j
D^10ul
eu/'+U).TV.
iS=P@k
;!4%eD=
8-S-pE9,0:
%#r\Q(1-
w_h|k
|n;m L
M[@h`^)
Nz2n[\
I-Qh/v+'
/=boj2
R~M%YtkT
f&z%bo
y\aPQYo
RrZ?D[
_K ()J
0dt5:/x,
fq3-6i
{\Rd8
*EV0Z|
p|ZfEo
_$/qp*
=&g z$
yQ)W8/
GLtDV-
|#,0K&]
uTSl_I
]J.La_
0_{UItl
$?1.ud
6n.[Q7~
}LJ?`9
/9R(@b
UJE0.X
Cy0FB
$t:1=W
Dd.vp2
,nD@:C
TZq<7{
3D' ,)
JC*HK,LL
_`4kHD|
2k_p<#Vj
j;(?zr
@\~5qT
!#Qx:@
h*0NC
ON4G?g
v~lpzrc
>mR49p?
z9P;0cl
VF$JZ{
:(WVCpM
TDP!f1
ecAX0y
O`A,ets
n,,#M$d
A`H-|v(z
B`hNIA
p@P81,
AB$T!:
[%CAd*
kbmysf
O$W,P
(~Y'31
1pQh`
!PdF% H
Hkwd87@u.,
EXOrFX
T`|&!(
Y(!<m"
bAdu7W0bP)
y5F%"I
}LKl f>
:7006!X
a<JR>_
`|&?02
dS!@(;r
j#RAX{
=fd@oGP
.0FJ|)
D(@{d2
Vt7M>8
fFKT~
YST(^
W84px@
xh0_/n:X
;za,iEaI
@H,s??b
R4 xNo
c3"d])
P qBT)(y
D<9H!A
Q(y!Ts?
H]`L}5
Ta^(Hr
&5iZO$d
#MtSnAL
(Cvl2J
pmtdLX
U.4_0(
=+7Q}{
[80 q]9
E;J{'W@9V
WU<_i<
('\689
dC}'IH
Jk`:tu
Nc\oKH{
.z#&'&h
zVsepC
X`Y2f6
xV _l)
8>0;iF
2Z K{(
TL5`Fu
4m[zX3
?hkxZQ
H^Pjqz
q,Ol.~
. HW:]
60#]9-
`Pe:X:0
Z7O*T>
&0"{!>
f0Y<@tA
7f;)q:n
AbU@~E
KXMB5`
,CUF0A
`ptRes
&pG Z]
1]`[|AG
(`EL0
Vmul^"
g;W9tHAX
|SjIn0
P0BsYn
6\-:.7
ZpClVQ
@*Zi5Js
3tHsbp
<A{3C3
q_*XEyb
YX9p$W
yd@@.FT
v@w`0z
>it}aB
l9Fx.n
N%Gm~np
g:Yt&N
E:n@0i8Y
kju5Kx|Z
;unL2<
aPu0H8
@M\L_|}
pim%Dl
0#!A/z
pb3p0#
!R9$`t
Il@~N^ @
YH{pw-"G
"8="^!"
Qh|+2C
He5wI,
)|^6Ub
6h0G2Xq
/x`wX,1tz
Ht?> )P
~Cn2<D:
\%$'2F
'46HfBZ"$
qMmcygn
T7N8@p
r2qHbt
$?z)?u
/JGMEH
-!*2K]
Z<x#R?
,-='Xh/
~[3&LBhI
@p!HAR
I=}+;Y
`a?YaC)!
Lv #GL
fd/x@`;
=0t]p8{
ID"0!W
y.=8bc
9n$}g_
H>"Ml6
S$nFJX.0h
FQPbSl
$ja1Ds
F^Z:A]
?o_z,DQX
G=7Dnq
HRT$68
g-GJK2l
F@(xD-X
@ lW=A
a=d|eL
|=CWX~l
|`mH8+
0KzC(o
-p1JF(
5 )E|=
6FZrEd
dxUJ%
X 36x+
AH@tz
N,j$"\
1ty+p
Zc{`0G
T.I{Pk
r|Ap,`N@
CrUj.N
t3KQzqa
HCF<"y
$8J;~D
hPpvM0
,@1QNo
vx%'55|$H
~b%L$<
@<M{1.
zvI1H>
JO,63R
F,Lwl$
t2\PWZ
V3j)!+0`
20si-F
\<.(PT
;)AMGY
&4@cpq
c.PoxYZ
C_A&!i
@%`y0hG#
B;d@?Z
'z@F{P<0
0ZsA%N=
Q#s9ba
BS6Nj%R[
; ek_~
`:(T-S
0(qPBNF
b(pNX
5tI!X)
:L&YX)H
$gp`rH
|du>3:
0F4(_2
8SKf0{
[RQ1 d
XzYH9(
t)o(ha
Ic$04x
=5swD]
sl/5ZB
!8AcQS`
-_3/!\
'*(XDY
8 4k'!
<a.T.A
{aijt7
^BP2?h
h596UP
;kV!\U
zw}`D(
PlP$lp
{Wg|Us
Vp\1Xa
h{_IT0
R9g+P*
d0$}0b
)`p:Rb;a
`Oh EqY
ye.`wq
@H@eb:q
|@ePxd
!TC7k%
39wXQTB
!=^bOD
t|4Xr
H1i|?@
G^LoD
+rB5W\
O[6|\$o]
09*&mQ
^26S)p
Z;"fQAY
@v_g^y
;X'$MX(
.6^3L,
y3)z*c
`eM(S0
U7Ms0l
wZDtIn
0|B03p
Nv{`yx
A;C[?L
FfEHFlH
wz-}\(
alPmFw
NB)Gp
x7/{8@
,&)$N$$
h$>l"@
Oo2A8`
n%pRCx
&%0E8
|TV-@F
DH YT&T
Dd-Y.
PXNGbPf
P6y!,y
vlO+PH
~,v8&n
>6F<IP
%)t~O3
.M)| =
+?w<uX
Z1KV`6
Xr<\R;
B%^;WJf
`Dd[ 'P
a0-`l2
,27RkM
Kk6~Z!}
`Lp;x0
fIQ bP.
N|lP&Z
{905U0
1NW5q<
1B'<7s1
/7W}%i
.($C8,
'B<dl
uST_J
p td\1
lg0'.8
^P8lW\Q
^51MWH
e=E<IH
N;g=f:
EUL-GY
&1:>x
U.uH#:F
N^l>rG|
cL4a:$
fTHJ4OeLVt
va!kjP
<Nn0yi
n;8 '.
Lim`%R
kPML&5d
]kus!E
g@HtYv
[Qpfwn
`,BJv!>X+
y(&W8
=7`a>.
4toz}\
vk)&@N}
k>`OiD
["0ed0
i'Xl88
PT,]U73
q0|.H
7)SP.X
<FS.maA
-.x$do
$kf<Bx
4*ldpg(TWI
J/5P|-
m=0_OI
O.df\{
> Imr)
5u"Ot;=
}Uyj",
xMH0Le
{4t=Tw
0mO `)
P:`)tB
}VEP[*q
p.Cu7!
}9*xq&
L# .\40
prpN*0q
`@cq*l
=]k?DU
Yh98D^P\<
XjG10!
4@HE_h
Z#H4r
3I(d@!
80&/DA
LU6I<H
yPg,QX
u<|ITl
b[Z_?P
.VsR]
\n4bA
wV!\_*
>=Wz.e
H>+nhP#4
@"k^`Q
jz\\Ov
;im$@X
s<?P/Ok
7W,o@a
2H|5"H<
/O$ >$
iW @7au
T3*svH
GP`?)Di
|msiP_@HM
fLF!d<
"c $I$
5,r}T@`G
:T)hP|
?np0PL
}X0JC,
=)dsAQ @
chB:-bz
*5AU"%
&C\\`H
5IJU|f
_&KM/I
x+BRl2
,&ei,>
Gxl]&@
{@t&%><
Z5G+>
dN2!+X$K
8HR|(Z
C,!m>S
jzmK?i
p5|Q$` z
|1Q"4CdBP`d
|yF&kV
*-|"=D
pZ:+L'p
5xp&U
gAq B
HX$7t
b2VxW
p$tZu(
P TsVl
.cqm+@
pC%\Nd
P=z,<=(!
,l5x?1
`PSLU8!
(l{@1w2
)Kl@|T=
,W x1d
BNQvHD
#bR8ey.A
P@8] Bc
#1,_bFTF
,,2ETP_
[]D} a
^D}o9
{)b.7T[l<
t_1Y9]K
rPX;\
"X0}u)
s(0XH)a
8}vd).@Iw
X,YN``(
4<>)x3
d``4!
`\vxK"P
D/#yVH
F$^n1;
=Loa;1
PK|Aj`
mYx@5$`I=
Z%^'((
O./N=,
yC{pTv
(Rh2z;L
X-7k?,;
%yj$/
1"we6EW
8%uh}q
:#gCsPz
`N1*T0P
:OrKx-
\]R3)T
7EV6.P
P#4(P1
807{),r0;
kST>tl
/tG`xp8
[-{_j6
6APh4r
I?5X#>
:D4|0F
Q@0$RZ
zEYOs_
_>!ySZ
N&fhd
!}H'/'(pd
D40]/69
r$.OY-
El =D8
0DB<Z
JWA?I:>
all.ico
"""""""
!!
!"
95^^^\@7
8]bbcrrrsrrcb`>
:_bcrsyzzzzzysscb`A
UJ`cpu{|
|{usqbKC[
XKapu{
xupoKL
#'1LNm
mNA1,#Q
#'13Nhm
mjM31'#
#',2LNhhkklnlnnnnnnnnnnnlnllhmjMA2/'
%,13LMNdddeheehgekgeeeheddddNMH31/%
$,124AMMMMMOMeOOOOOOedOOMOMMML421,%
$'/1ALLMMMOMeMOdOdMdMOMdMMdMLL310'$
#''??BBNNNdddddddddeddddddNNBB??,&$
$,EEFFFiiiijjjjjjjjjjiiiiiEFFE?,$
$.Y}}}
}}}Y'#
all.ico
UZkkmmkkX:
LVinrt
#->fe
eb/) S
"+/>[[]`aaa_]a_^^[f>A+&L
!)./EEFFFHFHHHFH>FDD.+#
&.=>>>GGHG[HGG[>>>>;("
#?@Tcccccdcdcccdcc@?'
all.ico
)EDDC(
;FSXXYYXXR.
_!6hmssrtrrrtqqmI%
:'INNPPVVVVPONI6$
$'5FGHHHHHH774'"
#'666777G7766/%
-11JJJIKKJJJ111
0]kkllkllllkl]\
+dyyzzzzzzzzyxc
g{|||~~~~~}{{[
all.ico
3.COTTOB'9
(GU\]][R@
?NQSSSRPM&
>DEFFFEDA)
+,,,-,,*
1<<====<2
_8HIIIIIIH!
#"JKKLLKKJ
:XYYYYW7
#VZY;
v]Cz_8
=5-U<!
Qsu%:r
X%y{4I
S tvLa
V#wyNc
U"vxEZ
Y'{}7L
T"vx:O
Rsu`u
S!uwOd
T!uw9N
X%y{5K
U#wyBW
Z(|}cx
R tvCX
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
CompanyName
Microsoft Corp.
FileDescription
Microsoft .NET
LegalTrademarks
Microsoft
ProductName
Remote Service Application
FileVersion
40.01.0001
ProductVersion
40.01.0001
InternalName
OriginalFilename
Spy24.exe

Dropped Files

28dad3eb8adc0136_windowsdefender.exe

Name: 28dad3eb8adc0136_windowsdefender.exe
Size: 968.5 kB
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 0643d3106f026b9fbf7daafc053a898a
SHA1: 085602ebfc97ae8f01e36b7575140ffe723d9599
SHA256: 28dad3eb8adc01364cce8d42a791b5189456a77af39ae4dced54db29d33a5184
SHA512: f499e09bd8f20fa7ff488a6fdd52c6590f79fb9303389b4690b285a725c57e8c8700db2e697fc0839985bbac09414f94f744f035046a2f0973b61e8713a26639
Ssdeep: 24576:tf7wDf93eeKxs7doDnMmKkUdqeTf8X8R22pQq:tEl1zqnbKTMegMR2GQq

Network

HTTP Requests

http://192.168.1.11:777/1234567890.functions

GET /1234567890.functions HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 192.168.1.11:777
Connection: Keep-Alive

Hosts Involved

IP Address	Country of Origin
88.221.214.41	PL

Geolocation

Destination Country

PL:: 100%

File

Type: PE32 executable (GUI) Intel 80386, for MS Windows
CRC32: D4FB7B24
MD5: afe12fdbc765db1c392fa3741ba5c61e
SHA1: ef08292fd444fe55130a11d0c13b7ca39a50ade2
SHA256: eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4
SHA512: 2ff5d38e8532fbfc10467458ef8bb661bf2128a2abe6e45093b1a62099d3d03f81fe83611dd7448c921c4018cb7e520a1583e74bf47c344b5783246399d60038
Ssdeep: 24576:tf7wDf93eeKxs7doDnMmKkUdqeTf8X8R22pQt:tEl1zqnbKTMegMR2GQt
PEiD: None matched

Screenshots

Behavior Summary

Registry Key-Opened

HKEY_CURRENT_USER\Software\WinLicense
HKEY_CURRENT_USER\Software\Wine
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Registry Key-Written

HKEY_CURRENT_USER\Software\WinLicense\CheckIN
HKEY_CURRENT_USER\Software\WinLicense\ExitIN
HKEY_CURRENT_USER\Software\WinLicense\ProcIN
HKEY_CURRENT_USER\Software\WinLicense\ProcOUT
HKEY_CURRENT_USER\Software\WinLicense\TpIN

Processes

Process Name

PID

Parent PID

eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe 2468 2416

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1600443966.59	4	__exception__	stacktrace: ["RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x7dea9ed2", "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x7dea9ea5"] exception: {"address": "0x52e0c9", "exception_code": "0xc0000096", "instruction": "sti", "instruction_r": "fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc", "module": "eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe", "offset": 1237193, "symbol": "eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4+0x12e0c9"} registers: {"eax": 1, "ebp": 1638292, "ebx": 2130567168, "ecx": 0, "edi": 0, "edx": 6262784, "esi": 0, "esp": 1638276}	Status SUCCESS
1600443966.59	3	LdrLoadDll	module_name: "USER32.dll" basename: "USER32" stack_pivoted: 0 flags: 0 module_address: "0x7dc50000"	Status SUCCESS
1600443966.59	2	__exception__	stacktrace: [] exception: {"address": "0x47e03d", "exception_code": "0xc0000096", "instruction": "sti", "instruction_r": "fb 53 bb e3 50 b2 59 01 d8 5b 55 e9 c7 fc ff ff", "module": "eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe", "offset": 516157, "symbol": "eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4+0x7e03d"} registers: {"eax": 4708907, "ebp": 4117737492, "ebx": 38404682, "ecx": 586, "edi": 4445554, "edx": 2130566132, "esi": 3, "esp": 1638240}	Status SUCCESS
1600443966.6	3	NtCreateFile	create_disposition: 1 file_handle: "0x00000000" filepath: "\??\SICE" desired_access: "0xc0100080" file_attributes: 128 filepath_r: "\??\SICE" create_options: 96 status_info: 4294967295 share_access: 3	Return Value 3221225524 Status FAILURE
1600443966.6	8	__exception__	stacktrace: [] exception: {"address": "0x48058b", "exception_code": "0xc0000096", "instruction": "sti", "instruction_r": "fb e9 95 02 00 00 89 1c 24 54 5b 81 c3 04 00 00", "module": "eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe", "offset": 525707, "symbol": "eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4+0x8058b"} registers: {"eax": 26616, "ebp": 4117737492, "ebx": 4714675, "ecx": 4294943196, "edi": 199913, "edx": 4745815, "esi": 1164460653, "esp": 1638244}	Status SUCCESS
1600443966.6		RegCreateKeyExA	regkey_r: "Software\WinLicense" base_handle: "0x80000001" key_handle: "0x00000070" class: "" options: 0 access: "0x02000000" disposition: 0 regkey: "HKEY_CURRENT_USER\Software\WinLicense"	Status SUCCESS
1600443966.6		RegSetValueExA	key_handle: "0x00000070" regkey_r: "CheckIN" reg_type: 4 value: 1085 regkey: "HKEY_CURRENT_USER\Software\WinLicense\CheckIN"	Status SUCCESS
1600443966.6		RegCloseKey	key_handle: "0x00000070"	Status SUCCESS
1600443966.6		RegCreateKeyExA	regkey_r: "Software\WinLicense" base_handle: "0x80000001" key_handle: "0x00000070" class: "" options: 0 access: "0x02000000" disposition: 0 regkey: "HKEY_CURRENT_USER\Software\WinLicense"	Status SUCCESS
1600443966.6		RegSetValueExA	key_handle: "0x00000070" regkey_r: "ExitIN" reg_type: 4 value: 0 regkey: "HKEY_CURRENT_USER\Software\WinLicense\ExitIN"	Status SUCCESS

Showing 1 to 10 of 34 entries

Previous1 2 3 4Next

Classification

Indicators

Yara

MITRE ATT&CK®

Enterprise Matrix (Tactics and Techniques)

Static Analysis

Version Infos

Sections

Resources

Imports

Library kernel32.dll:

Library comctl32.dll:

Strings

Dropped Files

28dad3eb8adc0136_windowsdefender.exe

Network

HTTP Requests

http://192.168.1.11:777/1234567890.functions

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

Registry Key-Opened

Registry Key-Written

Processes

eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe24682416

MITRE ATT&CK^®

eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4.exe 2468 2416