Loading ...

Analysis Report image.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:786614
Start date:13.02.2019
Start time:16:35:19
Joe Sandbox Product:Cloud
Overall analysis duration:0h 13m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:image.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.adwa.spyw.evad.winEXE@63/14@6/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 53.9% (good quality ratio 50.8%)
  • Quality average: 75.4%
  • Quality standard deviation: 28.5%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 85
  • Number of non-executed functions: 196
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: image.exe, bnmoc.exe, bnmoc.exe, bnmoc.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Startup Items2Startup Items2Software Packing2Credentials in Files1Process Discovery1Application Deployment SoftwareData from Local System1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaExploitation for Client Execution1Registry Run Keys / Start Folder21Process Injection411Disabling Security Tools111Network SniffingSecurity Software Discovery231Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection411Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information4Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeAvira: Label: TR/Dropper.Gen
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeAvira: Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeAvira: Label: TR/Dropper.Gen
Antivirus detection for submitted fileShow sources
Source: image.exeAvira: Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exevirustotal: Detection: 72%Perma Link
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exemetadefender: Detection: 56%Perma Link
Source: C:\Users\user~1\AppData\Local\Temp\Mdxylb\certmgrqrj8dx.exemetadefender: Detection: 56%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exemetadefender: Detection: 56%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: image.exevirustotal: Detection: 72%Perma Link
Source: image.exemetadefender: Detection: 56%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 27.2.bnmoc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.bnmoc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 37.2.bnmoc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.bnmoc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 4x nop then pop edi8_2_0040BB2F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 4x nop then pop esi8_2_00414690
Source: C:\Windows\System32\msg.exeCode function: 4x nop then pop esi15_2_00074690
Source: C:\Windows\System32\msg.exeCode function: 4x nop then pop edi15_2_0006BB2F
Source: C:\Windows\System32\cmmon32.exeCode function: 4x nop then pop esi24_2_00074690
Source: C:\Windows\System32\cmmon32.exeCode function: 4x nop then pop edi24_2_0006BB2F

Networking:

barindex
Social media urls found in memory dataShow sources
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.facebook.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.evcvnymlarked.review
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1703078184.02CBA000.00000004.sdmpString found in binary or memory: http://crl.microso
Source: explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmpString found in binary or memory: http://crl.microsoft$
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmpString found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000009.00000000.1695567792.015AA000.00000004.sdmpString found in binary or memory: http://ns.adobedel
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000009.00000000.1698938326.02080000.00000008.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmpString found in binary or memory: http://www.d-trust.ne
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.1703078184.02CBA000.00000004.sdmpString found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmpString found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmpString found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmpString found in binary or memory: https://www.mozilla.org/firefox/43.0.1/releasenotes
Source: msg.exe, 0000000F.00000002.1953565207.01ECF000.00000004.sdmpString found in binary or memory: https://www.wendihutagaol.com/hu/?RN=kBvVMbxNpEnnNAgtDWXnr5DLJDjY6g37u8QPxKjeIinPPfxBfL5X92QC6Wo69Ol

System Summary:

barindex
FormBook malware detectedShow sources
Source: C:\Windows\System32\msg.exeDropped file: C:\Users\user\AppData\Roaming\K47N66PW\K47logri.iniJump to dropped file
Source: C:\Windows\System32\msg.exeDropped file: C:\Users\user\AppData\Roaming\K47N66PW\K47logrv.iniJump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exeDropped file: C:\Users\user\AppData\Roaming\K47N66PW\K47logrf.iniJump to dropped file
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: image.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00416B50 NtCreateFile,8_2_00416B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00416C00 NtReadFile,8_2_00416C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00416D30 NtAllocateVirtualMemory,8_2_00416D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00416B4A NtCreateFile,8_2_00416B4A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00416D2B NtAllocateVirtualMemory,8_2_00416D2B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716070 NtResumeThread,NtResumeThread,8_2_00716070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716130 NtSetContextThread,NtSetContextThread,8_2_00716130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715190 NtCreateFile,NtCreateFile,8_2_00715190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007152B0 NtCreateSection,NtCreateSection,8_2_007152B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715390 NtDelayExecution,NtDelayExecution,8_2_00715390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716460 NtSuspendThread,NtSuspendThread,8_2_00716460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007155A0 NtFreeVirtualMemory,8_2_007155A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007157F0 NtMapViewOfSection,NtMapViewOfSection,8_2_007157F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715C10 NtQueryInformationProcess,NtQueryInformationProcess,8_2_00715C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715DC0 NtQuerySystemInformation,NtQuerySystemInformation,8_2_00715DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715E40 NtQueueApcThread,NtQueueApcThread,8_2_00715E40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00714E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,8_2_00714E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715EC0 NtReadVirtualMemory,NtReadVirtualMemory,8_2_00715EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00714EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,8_2_00714EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715E80 NtReadFile,NtReadFile,8_2_00715E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715090 NtClose,8_2_00715090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007151D0 NtCreateKey,8_2_007151D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715270 NtCreateProcessEx,8_2_00715270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715210 NtCreateMutant,8_2_00715210
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716200 NtSetInformationFile,8_2_00716200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007163D0 NtSetValueKey,8_2_007163D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007154E0 NtEnumerateValueKey,8_2_007154E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007154B0 NtEnumerateKey,8_2_007154B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007165E0 NtWaitForSingleObject,8_2_007165E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007155E0 NtGetContextThread,8_2_007155E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716580 NtUnmapViewOfSection,8_2_00716580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716660 NtWriteVirtualMemory,8_2_00716660
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00716630 NtWriteFile,8_2_00716630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715860 NtOpenDirectoryObject,8_2_00715860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715960 NtOpenProcessToken,8_2_00715960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00715950 NtOpenProcess,8_2_00715950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716070 NtResumeThread,NtResumeThread,14_2_00716070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716130 NtSetContextThread,NtSetContextThread,14_2_00716130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715190 NtCreateFile,NtCreateFile,14_2_00715190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007152B0 NtCreateSection,NtCreateSection,14_2_007152B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715390 NtDelayExecution,NtDelayExecution,14_2_00715390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716460 NtSuspendThread,NtSuspendThread,14_2_00716460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007155A0 NtFreeVirtualMemory,14_2_007155A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007157F0 NtMapViewOfSection,NtMapViewOfSection,14_2_007157F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715C10 NtQueryInformationProcess,NtQueryInformationProcess,14_2_00715C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715DC0 NtQuerySystemInformation,NtQuerySystemInformation,14_2_00715DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715E40 NtQueueApcThread,NtQueueApcThread,14_2_00715E40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00714E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,14_2_00714E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715EC0 NtReadVirtualMemory,NtReadVirtualMemory,14_2_00715EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00714EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,14_2_00714EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715E80 NtReadFile,NtReadFile,14_2_00715E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715090 NtClose,14_2_00715090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007151D0 NtCreateKey,14_2_007151D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715270 NtCreateProcessEx,14_2_00715270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715210 NtCreateMutant,14_2_00715210
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716200 NtSetInformationFile,14_2_00716200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007163D0 NtSetValueKey,14_2_007163D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007154E0 NtEnumerateValueKey,14_2_007154E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007154B0 NtEnumerateKey,14_2_007154B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007155E0 NtGetContextThread,14_2_007155E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007165E0 NtWaitForSingleObject,14_2_007165E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716580 NtUnmapViewOfSection,14_2_00716580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716660 NtWriteVirtualMemory,14_2_00716660
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00716630 NtWriteFile,14_2_00716630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715860 NtOpenDirectoryObject,14_2_00715860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715960 NtOpenProcessToken,14_2_00715960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715950 NtOpenProcess,14_2_00715950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007159D0 NtOpenThread,14_2_007159D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715AE0 NtProtectVirtualMemory,14_2_00715AE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715BE0 NtQueryInformationFile,14_2_00715BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715C40 NtQueryInformationToken,14_2_00715C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715D50 NtQuerySection,14_2_00715D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715E20 NtQueryVirtualMemory,14_2_00715E20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00715E10 NtQueryValueKey,14_2_00715E10
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616130 NtSetContextThread,NtSetContextThread,15_2_01616130
Source: C:\Windows\System32\msg.exeCode function: 15_2_016151D0 NtCreateKey,NtCreateKey,15_2_016151D0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615190 NtCreateFile,NtCreateFile,15_2_01615190
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616070 NtResumeThread,NtResumeThread,15_2_01616070
Source: C:\Windows\System32\msg.exeCode function: 15_2_016163D0 NtSetValueKey,NtSetValueKey,15_2_016163D0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615390 NtDelayExecution,NtDelayExecution,15_2_01615390
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616200 NtSetInformationFile,NtSetInformationFile,15_2_01616200
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615210 NtCreateMutant,NtCreateMutant,15_2_01615210
Source: C:\Windows\System32\msg.exeCode function: 15_2_016152B0 NtCreateSection,NtCreateSection,15_2_016152B0
Source: C:\Windows\System32\msg.exeCode function: 15_2_016165E0 NtWaitForSingleObject,15_2_016165E0
Source: C:\Windows\System32\msg.exeCode function: 15_2_016155A0 NtFreeVirtualMemory,15_2_016155A0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616460 NtSuspendThread,NtSuspendThread,15_2_01616460
Source: C:\Windows\System32\msg.exeCode function: 15_2_016154E0 NtEnumerateValueKey,NtEnumerateValueKey,15_2_016154E0
Source: C:\Windows\System32\msg.exeCode function: 15_2_016157F0 NtMapViewOfSection,NtMapViewOfSection,15_2_016157F0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616630 NtWriteFile,NtWriteFile,15_2_01616630
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615DC0 NtQuerySystemInformation,NtQuerySystemInformation,15_2_01615DC0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615C40 NtQueryInformationToken,NtQueryInformationToken,15_2_01615C40
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615C10 NtQueryInformationProcess,NtQueryInformationProcess,15_2_01615C10
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615E40 NtQueueApcThread,NtQueueApcThread,15_2_01615E40
Source: C:\Windows\System32\msg.exeCode function: 15_2_01614E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,15_2_01614E30
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615E10 NtQueryValueKey,NtQueryValueKey,15_2_01615E10
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615EC0 NtReadVirtualMemory,NtReadVirtualMemory,15_2_01615EC0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01614EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,15_2_01614EA0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615E80 NtReadFile,NtReadFile,15_2_01615E80
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615090 NtClose,15_2_01615090
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615270 NtCreateProcessEx,15_2_01615270
Source: C:\Windows\System32\msg.exeCode function: 15_2_016155E0 NtGetContextThread,15_2_016155E0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616580 NtUnmapViewOfSection,15_2_01616580
Source: C:\Windows\System32\msg.exeCode function: 15_2_016154B0 NtEnumerateKey,15_2_016154B0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01616660 NtWriteVirtualMemory,15_2_01616660
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615960 NtOpenProcessToken,15_2_01615960
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615950 NtOpenProcess,15_2_01615950
Source: C:\Windows\System32\msg.exeCode function: 15_2_016159D0 NtOpenThread,15_2_016159D0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615860 NtOpenDirectoryObject,15_2_01615860
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615BE0 NtQueryInformationFile,15_2_01615BE0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615AE0 NtProtectVirtualMemory,15_2_01615AE0
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615D50 NtQuerySection,15_2_01615D50
Source: C:\Windows\System32\msg.exeCode function: 15_2_01615E20 NtQueryVirtualMemory,15_2_01615E20
Source: C:\Windows\System32\msg.exeCode function: 15_2_00076B50 NtCreateFile,15_2_00076B50
Source: C:\Windows\System32\msg.exeCode function: 15_2_00076C00 NtReadFile,15_2_00076C00
Source: C:\Windows\System32\msg.exeCode function: 15_2_00076D30 NtAllocateVirtualMemory,15_2_00076D30
Source: C:\Windows\System32\msg.exeCode function: 15_2_00076B4A NtCreateFile,15_2_00076B4A
Source: C:\Windows\System32\msg.exeCode function: 15_2_00076D2B NtAllocateVirtualMemory,15_2_00076D2B
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775210 NtCreateMutant,NtCreateMutant,24_2_00775210
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007755A0 NtFreeVirtualMemory,24_2_007755A0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775C10 NtQueryInformationProcess,NtQueryInformationProcess,24_2_00775C10
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775DC0 NtQuerySystemInformation,NtQuerySystemInformation,24_2_00775DC0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00774E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,24_2_00774E30
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00774EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,24_2_00774EA0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776070 NtResumeThread,24_2_00776070
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775090 NtClose,24_2_00775090
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776130 NtSetContextThread,24_2_00776130
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007751D0 NtCreateKey,24_2_007751D0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775190 NtCreateFile,24_2_00775190
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775270 NtCreateProcessEx,24_2_00775270
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776200 NtSetInformationFile,24_2_00776200
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007752B0 NtCreateSection,24_2_007752B0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007763D0 NtSetValueKey,24_2_007763D0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775390 NtDelayExecution,24_2_00775390
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776460 NtSuspendThread,24_2_00776460
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007754E0 NtEnumerateValueKey,24_2_007754E0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007754B0 NtEnumerateKey,24_2_007754B0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007755E0 NtGetContextThread,24_2_007755E0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007765E0 NtWaitForSingleObject,24_2_007765E0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776580 NtUnmapViewOfSection,24_2_00776580
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776660 NtWriteVirtualMemory,24_2_00776660
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00776630 NtWriteFile,24_2_00776630
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007757F0 NtMapViewOfSection,24_2_007757F0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775860 NtOpenDirectoryObject,24_2_00775860
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775960 NtOpenProcessToken,24_2_00775960
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775950 NtOpenProcess,24_2_00775950
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007759D0 NtOpenThread,24_2_007759D0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775AE0 NtProtectVirtualMemory,24_2_00775AE0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775BE0 NtQueryInformationFile,24_2_00775BE0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775C40 NtQueryInformationToken,24_2_00775C40
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775D50 NtQuerySection,24_2_00775D50
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775E40 NtQueueApcThread,24_2_00775E40
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775E20 NtQueryVirtualMemory,24_2_00775E20
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775E10 NtQueryValueKey,24_2_00775E10
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775EC0 NtReadVirtualMemory,24_2_00775EC0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00775E80 NtReadFile,24_2_00775E80
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00076B50 NtCreateFile,24_2_00076B50
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00076C00 NtReadFile,24_2_00076C00
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00076D30 NtAllocateVirtualMemory,24_2_00076D30
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00076B4A NtCreateFile,24_2_00076B4A
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00076D2B NtAllocateVirtualMemory,24_2_00076D2B
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_004078EC8_2_004078EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_004078F08_2_004078F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041AA478_2_0041AA47
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00419AB38_2_00419AB3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041A3B48_2_0041A3B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041ACA08_2_0041ACA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041A64A8_2_0041A64A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00419E868_2_00419E86
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006D70788_2_006D7078
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007270158_2_00727015
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0079B0E78_2_0079B0E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007950A58_2_007950A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006F31098_2_006F3109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006F91F78_2_006F91F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007372C38_2_007372C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006D83EB8_2_006D83EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0072645A8_2_0072645A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006FC4478_2_006FC447
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007A04048_2_007A0404
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006D44FC8_2_006D44FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007324E18_2_007324E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006FE4D78_2_006FE4D7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007965008_2_00796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0072B5948_2_0072B594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_006E96B98_2_006E96B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007036AC8_2_007036AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007277C88_2_007277C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007978EA8_2_007978EA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_007439518_2_00743951
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006D707814_2_006D7078
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0072701514_2_00727015
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0079B0E714_2_0079B0E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007950A514_2_007950A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006F310914_2_006F3109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006F91F714_2_006F91F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0079225014_2_00792250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007372C314_2_007372C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006D83EB14_2_006D83EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006FC44714_2_006FC447
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0072645A14_2_0072645A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007A040414_2_007A0404
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006D44FC14_2_006D44FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007324E114_2_007324E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006FE4D714_2_006FE4D7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0079650014_2_00796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0072B59414_2_0072B594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006E96B914_2_006E96B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007036AC14_2_007036AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007277C814_2_007277C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007978EA14_2_007978EA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0077C88914_2_0077C889
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0074B97414_2_0074B974
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0074395114_2_00743951
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0072595C14_2_0072595C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0079190714_2_00791907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007229EE14_2_007229EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_007A499014_2_007A4990
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006F398414_2_006F3984
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00729A6814_2_00729A68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00722ADC14_2_00722ADC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006F0BFB14_2_006F0BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00794BBA14_2_00794BBA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006DCBA714_2_006DCBA7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0073FBA614_2_0073FBA6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0077DB9514_2_0077DB95
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00795C5614_2_00795C56
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006FDCFB14_2_006FDCFB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00735CCD14_2_00735CCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0077DD5114_2_0077DD51
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00725DD814_2_00725DD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006E0E5214_2_006E0E52
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_0074AEF514_2_0074AEF5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006EEEC714_2_006EEEC7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00771F4814_2_00771F48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00741FDB14_2_00741FDB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006FDFD414_2_006FDFD4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00727FAB14_2_00727FAB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_006D9F9014_2_006D9F90
Source: C:\Windows\System32\msg.exeCode function: 15_2_015F310915_2_015F3109
Source: C:\Windows\System32\msg.exeCode function: 15_2_015F91F715_2_015F91F7
Source: C:\Windows\System32\msg.exeCode function: 15_2_015D707815_2_015D7078
Source: C:\Windows\System32\msg.exeCode function: 15_2_0162701515_2_01627015
Source: C:\Windows\System32\msg.exeCode function: 15_2_0169B0E715_2_0169B0E7
Source: C:\Windows\System32\msg.exeCode function: 15_2_016950A515_2_016950A5
Source: C:\Windows\System32\msg.exeCode function: 15_2_015D83EB15_2_015D83EB
Source: C:\Windows\System32\msg.exeCode function: 15_2_0169650015_2_01696500
Source: C:\Windows\System32\msg.exeCode function: 15_2_0162B59415_2_0162B594
Source: C:\Windows\System32\msg.exeCode function: 15_2_015FC44715_2_015FC447
Source: C:\Windows\System32\msg.exeCode function: 15_2_0162645A15_2_0162645A
Source: C:\Windows\System32\msg.exeCode function: 15_2_016A040415_2_016A0404
Source: C:\Windows\System32\msg.exeCode function: 15_2_016324E115_2_016324E1
Source: C:\Windows\System32\msg.exeCode function: 15_2_015FE4D715_2_015FE4D7
Source: C:\Windows\System32\msg.exeCode function: 15_2_015D44FC15_2_015D44FC
Source: C:\Windows\System32\msg.exeCode function: 15_2_016277C815_2_016277C8
Source: C:\Windows\System32\msg.exeCode function: 15_2_016036AC15_2_016036AC
Source: C:\Windows\System32\msg.exeCode function: 15_2_015E96B915_2_015E96B9
Source: C:\Windows\System32\msg.exeCode function: 15_2_0164395115_2_01643951
Source: C:\Windows\System32\msg.exeCode function: 15_2_0162595C15_2_0162595C
Source: C:\Windows\System32\msg.exeCode function: 15_2_0169190715_2_01691907
Source: C:\Windows\System32\msg.exeCode function: 15_2_016229EE15_2_016229EE
Source: C:\Windows\System32\msg.exeCode function: 15_2_015F398415_2_015F3984
Source: C:\Windows\System32\msg.exeCode function: 15_2_016A499015_2_016A4990
Source: C:\Windows\System32\msg.exeCode function: 15_2_016978EA15_2_016978EA
Source: C:\Windows\System32\msg.exeCode function: 15_2_015F0BFB15_2_015F0BFB
Source: C:\Windows\System32\msg.exeCode function: 15_2_0163FBA615_2_0163FBA6
Source: C:\Windows\System32\msg.exeCode function: 15_2_01694BBA15_2_01694BBA
Source: C:\Windows\System32\msg.exeCode function: 15_2_0167DB9515_2_0167DB95
Source: C:\Windows\System32\msg.exeCode function: 15_2_015DCBA715_2_015DCBA7
Source: C:\Windows\System32\msg.exeCode function: 15_2_01629A6815_2_01629A68
Source: C:\Windows\System32\msg.exeCode function: 15_2_01622ADC15_2_01622ADC
Source: C:\Windows\System32\msg.exeCode function: 15_2_0167DD5115_2_0167DD51
Source: C:\Windows\System32\msg.exeCode function: 15_2_01625DD815_2_01625DD8
Source: C:\Windows\System32\msg.exeCode function: 15_2_01695C5615_2_01695C56
Source: C:\Windows\System32\msg.exeCode function: 15_2_015FDCFB15_2_015FDCFB
Source: C:\Windows\System32\msg.exeCode function: 15_2_01635CCD15_2_01635CCD
Source: C:\Windows\System32\msg.exeCode function: 15_2_015FDFD415_2_015FDFD4
Source: C:\Windows\System32\msg.exeCode function: 15_2_01627FAB15_2_01627FAB
Source: C:\Windows\System32\msg.exeCode function: 15_2_015D9F9015_2_015D9F90
Source: C:\Windows\System32\msg.exeCode function: 15_2_015E0E5215_2_015E0E52
Source: C:\Windows\System32\msg.exeCode function: 15_2_015EEEC715_2_015EEEC7
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007A64B15_2_0007A64B
Source: C:\Windows\System32\msg.exeCode function: 15_2_000678EC15_2_000678EC
Source: C:\Windows\System32\msg.exeCode function: 15_2_000678F015_2_000678F0
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007AA4715_2_0007AA47
Source: C:\Windows\System32\msg.exeCode function: 15_2_00079AB315_2_00079AB3
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007ACA015_2_0007ACA0
Source: C:\Windows\System32\msg.exeCode function: 15_2_00079E8615_2_00079E86
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0073707824_2_00737078
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0078701524_2_00787015
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007FB0E724_2_007FB0E7
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F50A524_2_007F50A5
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0075310924_2_00753109
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007591F724_2_007591F7
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F225024_2_007F2250
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007972C324_2_007972C3
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007383EB24_2_007383EB
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0078645A24_2_0078645A
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0075C44724_2_0075C447
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0080040424_2_00800404
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007344FC24_2_007344FC
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007924E124_2_007924E1
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0075E4D724_2_0075E4D7
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F650024_2_007F6500
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0078B59424_2_0078B594
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007496B924_2_007496B9
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007636AC24_2_007636AC
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007877C824_2_007877C8
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F78EA24_2_007F78EA
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007DC88924_2_007DC889
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007AB97424_2_007AB974
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0080499024_2_00804990
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0078595C24_2_0078595C
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007A395124_2_007A3951
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F190724_2_007F1907
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007829EE24_2_007829EE
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0075398424_2_00753984
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00789A6824_2_00789A68
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00782ADC24_2_00782ADC
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00750BFB24_2_00750BFB
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F4BBA24_2_007F4BBA
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0073CBA724_2_0073CBA7
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0079FBA624_2_0079FBA6
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007DDB9524_2_007DDB95
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007F5C5624_2_007F5C56
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0075DCFB24_2_0075DCFB
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00795CCD24_2_00795CCD
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007DDD5124_2_007DDD51
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00785DD824_2_00785DD8
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00740E5224_2_00740E52
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007AAEF524_2_007AAEF5
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0074EEC724_2_0074EEC7
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007D1F4824_2_007D1F48
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0075DFD424_2_0075DFD4
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_007A1FDB24_2_007A1FDB
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00787FAB24_2_00787FAB
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00739F9024_2_00739F90
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0007A64B24_2_0007A64B
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_000678EC24_2_000678EC
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_000678F024_2_000678F0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0007AA4724_2_0007AA47
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00079AB324_2_00079AB3
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0007ACA024_2_0007ACA0
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00079E8624_2_00079E86
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\System32\cmmon32.exeCode function: String function: 00782824 appears 79 times
Source: C:\Windows\System32\cmmon32.exeCode function: String function: 00751ACE appears 132 times
Source: C:\Windows\System32\cmmon32.exeCode function: String function: 0074F63B appears 239 times
Source: C:\Windows\System32\cmmon32.exeCode function: String function: 00763D00 appears 41 times
Source: C:\Windows\System32\cmmon32.exeCode function: String function: 007CF3E2 appears 83 times
Source: C:\Windows\System32\msg.exeCode function: String function: 01603D00 appears 38 times
Source: C:\Windows\System32\msg.exeCode function: String function: 01622824 appears 70 times
Source: C:\Windows\System32\msg.exeCode function: String function: 0166F3E2 appears 64 times
Source: C:\Windows\System32\msg.exeCode function: String function: 015F1ACE appears 99 times
Source: C:\Windows\System32\msg.exeCode function: String function: 015EF63B appears 213 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: String function: 0076F3E2 appears 125 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: String function: 006F1ACE appears 205 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: String function: 006EF63B appears 372 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: String function: 007172D0 appears 44 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: String function: 00703D00 appears 61 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: String function: 00722824 appears 122 times
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: image.exe, 00000000.00000002.1668259647.002A8000.00000004.sdmpBinary or memory string: OriginalFilenamebnm.exe4 vs image.exe
Source: image.exe, 00000000.00000002.1668108691.00263000.00000004.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs image.exe
Source: image.exe, 00000000.00000002.1669437521.00510000.00000004.sdmpBinary or memory string: OriginalFilenameRunPEDll.dll2 vs image.exe
Source: image.exe, 00000000.00000002.1669910969.013B0000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs image.exe
Source: image.exe, 00000000.00000002.1672009462.02A97000.00000004.sdmpBinary or memory string: OriginalFilenamestub.exe4 vs image.exe
Source: image.exeBinary or memory string: OriginalFilenamebnm.exe4 vs image.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\image.exeFile read: C:\Users\user\Desktop\image.exeJump to behavior
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\System32\msg.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\43.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\msg.exeSection loaded: mozglue.dllJump to behavior
Source: C:\Windows\System32\msg.exeSection loaded: winsqlite3.dllJump to behavior
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: image.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bnmoc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: certmgrqrj8dx.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: certmgrqrj8dx.exe0.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bnmoc.exe.29.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.adwa.spyw.evad.winEXE@63/14@6/0
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\System32\msg.exeCode function: 15_2_0006FB80 CoInitialize,CoCreateInstance,OleUninitialize,15_2_0006FB80
Creates files inside the program directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Program Files\MdxylbJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\image.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeFile created: C:\Users\user\AppData\Local\Temp\bnmocxzasa.txtJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ........P#..........M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].......Ww4...H...`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................0.......4....s..........................P......o........\...j.]w...o....t........E.I....l...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..T...................0.....0.......4....s..................................\...j.]w...o.......o......T.~....,.I....t...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................0.......4....s......................................\...j.]w...o...o....x........E.I....p...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................0.......4....s..............................C\.wPY.wl..............oh............E.I........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........4......w@..Ix.(.....................(...x......wX...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..T...................0.....0.......4...-s..........................\...........`.(..............((...T.....5...........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................0.......4...fs...........................r*.P.(.H.....(.P.(..r*....oh............E.I........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.................@..I8......w@..Ix.(.........(...x......wX...Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.x.i.t.........4...rs..........................\...........;..w............P.(.|.......5...........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.............4....w..........................D...........!...@@ ....."..m$............FWJ........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........t....o/.....V.UJ............t.........WwH...&...`.....,.....Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: image.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\image.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\image.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\image.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\user\Searches\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\image.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: image.exevirustotal: Detection: 72%
Source: image.exemetadefender: Detection: 56%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\image.exe 'C:\Users\user\Desktop\image.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Windows\System32\msg.exe C:\Windows\System32\msg.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt | cmd
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt '
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
Source: unknownProcess created: C:\Windows\System32\cmmon32.exe C:\Windows\System32\cmmon32.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Windows\System32\raserver.exe C:\Windows\System32\raserver.exe
Source: unknownProcess created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe C:\Program Files\Mdxylb\certmgrqrj8dx.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknownProcess created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exe
Source: unknownProcess created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe 'C:\Program Files\Mdxylb\certmgrqrj8dx.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msg.exe C:\Windows\System32\msg.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt | cmdJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmmon32.exe C:\Windows\System32\cmmon32.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\raserver.exe C:\Windows\System32\raserver.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe C:\Program Files\Mdxylb\certmgrqrj8dx.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe 'C:\Program Files\Mdxylb\certmgrqrj8dx.exe' Jump to behavior
Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' Jump to behavior
Source: C:\Windows\System32\msg.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'Jump to behavior
Source: C:\Windows\System32\msg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\msg.exeFile written: C:\Users\user\AppData\Roaming\K47N66PW\K47logri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\image.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\System32\msg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\MdxylbJump to behavior
Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\Mdxylb\certmgrqrj8dx.exeJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: image.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\image.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: image.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: cmmon32.pdb source: bnmoc.exe, 00000008.00000002.1737711731.002B4000.00000004.sdmp
Source: Binary string: cmmon32.pdbr2v source: bnmoc.exe, 00000008.00000002.1737711731.002B4000.00000004.sdmp
Source: Binary string: msg.pdb source: bnmoc.exe, 0000000E.00000002.1723167362.002E4000.00000004.sdmp
Source: Binary string: ntdll.pdb source: bnmoc.exe, msg.exe, cmmon32.exe
Source: Binary string: ntdll.pdb3 source: bnmoc.exe, 00000008.00000003.1672350373.00430000.00000004.sdmp, bnmoc.exe, 0000000E.00000003.1694753168.00430000.00000004.sdmp
Source: Binary string: objs\libjsoundds\jsoundds.pdb source: explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: image.exe, 00000000.00000002.1669910969.013B0000.00000002.sdmp, bnmoc.exe, 00000004.00000002.1675328490.005A0000.00000002.sdmp, bnmoc.exe, 0000000A.00000002.1697347055.01410000.00000002.sdmp

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeUnpacked PE file: 8.2.bnmoc.exe.20000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeUnpacked PE file: 14.2.bnmoc.exe.20000.0.unpack
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_004199C5 push eax; ret 8_2_00419A18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0040B9A1 push eax; ret 8_2_0040B9A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00419A7C push eax; ret 8_2_00419A82
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00419A12 push eax; ret 8_2_00419A18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00419A1B push eax; ret 8_2_00419A82
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00413A3D push edi; iretd 8_2_00413A3E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041AE22 push ebp; ret 8_2_0041AE23
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_004186E2 push dword ptr [esi-6EDD6829h]; ret 8_2_004186EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041AF64 push 83D481C5h; ret 8_2_0041AF69
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_0041AF7C push edi; retf 8_2_0041AF7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00722869 push ecx; ret 8_2_0072287C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 14_2_00722869 push ecx; ret 14_2_0072287C
Source: C:\Windows\System32\msg.exeCode function: 15_2_01622869 push ecx; ret 15_2_0162287C
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007A3C4 push cs; iretd 15_2_0007A3C5
Source: C:\Windows\System32\msg.exeCode function: 15_2_000786E2 push dword ptr [esi-6EDD6829h]; ret 15_2_000786EB
Source: C:\Windows\System32\msg.exeCode function: 15_2_0006B9A1 push eax; ret 15_2_0006B9A8
Source: C:\Windows\System32\msg.exeCode function: 15_2_000799C5 push eax; ret 15_2_00079A18
Source: C:\Windows\System32\msg.exeCode function: 15_2_00079A12 push eax; ret 15_2_00079A18
Source: C:\Windows\System32\msg.exeCode function: 15_2_00079A1B push eax; ret 15_2_00079A82
Source: C:\Windows\System32\msg.exeCode function: 15_2_00079A7C push eax; ret 15_2_00079A82
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007AE22 push ebp; ret 15_2_0007AE23
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007AF64 push 83D481C5h; ret 15_2_0007AF69
Source: C:\Windows\System32\msg.exeCode function: 15_2_0007AF7C push edi; retf 15_2_0007AF7D
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00782869 push ecx; ret 24_2_0078287C
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0007A3C4 push cs; iretd 24_2_0007A3C5
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_000786E2 push dword ptr [esi-6EDD6829h]; ret 24_2_000786EB
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_0006B9A1 push eax; ret 24_2_0006B9A8
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_000799C5 push eax; ret 24_2_00079A18
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00079A12 push eax; ret 24_2_00079A18
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00079A1B push eax; ret 24_2_00079A82
Source: C:\Windows\System32\cmmon32.exeCode function: 24_2_00073A3D push edi; iretd 24_2_00073A3E
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.38254453232
Source: initial sampleStatic PE information: section name: .text entropy: 7.38254453232
Source: initial sampleStatic PE information: section name: .text entropy: 7.38254453232
Source: initial sampleStatic PE information: section name: .text entropy: 7.38254453232
Source: initial sampleStatic PE information: section name: .text entropy: 7.38254453232

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user~1\AppData\Local\Temp\Mdxylb\certmgrqrj8dx.exeJump to dropped file
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Program Files\Mdxylb\certmgrqrj8dx.exeJump to dropped file

Boot Survival:

barindex
Creates multiple autostart registry keysShow sources
Source: C:\Windows\System32\msg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZCJump to behavior
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasaJump to behavior
Drops PE files to the startup folderShow sources
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\image.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\image.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to behavior
Source: C:\Users\user\Desktop\image.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasaJump to behavior
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasaJump to behavior
Source: C:\Windows\System32\msg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZCJump to behavior
Source: C:\Windows\System32\msg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZCJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking system information)Show sources
Source: C:\Windows\System32\cmmon32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,ExitProcess
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: image.exe, 00000000.00000002.1671280586.01A20000.00000004.sdmp, bnmoc.exe, 00000004.00000002.1676704295.01EA0000.00000004.sdmp, bnmoc.exe, 0000000A.00000002.1699513950.01960000.00000004.sdmpBinary or memory string: SBIEDLL.DLL
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_004073E0 rdtsc 8_2_004073E0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\image.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\image.exe TID: 2304Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 2368Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3828Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3828Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 1888Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msg.exe TID: 2240Thread sleep time: -75000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 3420Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe TID: 3584Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 3080Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe TID: 3756Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\msg.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000009.00000000.1705084626.04740000.00000004.sdmpBinary or memory string: vmbusres.dll,
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Windows\System32\cmmon32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_windows_start_menu_programs_startup_8dae6c61b8a77b32.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\program_files_mdxylb_5f43f4ec563088db.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\msg.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\cmmon32.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\raserver.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess queried: DebugPort
Source: C:\Windows\System32\msdt.exeProcess queried: DebugPort
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_004073E0 rdtsc 8_2_004073E0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeCode function: 8_2_00408420 LdrLoadDll,8_2_00408420
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\image.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msg.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\cmmon32.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\raserver.exeProcess token adjusted: Debug
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess token adjusted: Debug
Source: C:\Windows\System32\msdt.exeProcess token adjusted: Debug
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\image.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: certmgrqrj8dx.exe.9.drJump to dropped file
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5A
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeSection loaded: unknown target pid: 3768 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 2268Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 3768Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 3768Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 4016Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 3768Jump to behavior
Source: C:\Windows\System32\msg.exeThread register set: target process: 3768Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 1264Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 3768Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 3144
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread register set: target process: 3768
Queues an APC in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' Jump to behavior
Source: C:\Windows\System32\msg.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'Jump to behavior
Source: C:\Windows\System32\msg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exeProcess created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000009.00000000.1695133822.00840000.00000002.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.1695133822.00840000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1695133822.00840000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmpBinary or memory string: Progmanp

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\msg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\System32\msg.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\System32\msg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786614 Sample: image.exe Startdate: 13/02/2019 Architecture: WINDOWS Score: 100 100 Antivirus detection for dropped file 2->100 102 Antivirus detection for submitted file 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 7 other signatures 2->106 14 image.exe 4 2->14         started        process3 file4 92 C:\Users\user\...\bnmoc.exe:Zone.Identifier, ASCII 14->92 dropped 17 cmd.exe 14->17         started        process5 process6 19 bnmoc.exe 3 17->19         started        signatures7 108 Modifies the context of a thread in another process (thread injection) 19->108 110 Injects a PE file into a foreign processes 19->110 22