Analysis Report image.exe

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	786614
Start date:	13.02.2019
Start time:	16:35:19
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 13m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	image.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.adwa.spyw.evad.winEXE@63/14@6/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 53.9% (good quality ratio 50.8%) Quality average: 75.4% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 196
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: image.exe, bnmoc.exe, bnmoc.exe, bnmoc.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface1	Startup Items2	Startup Items2	Software Packing2	Credentials in Files1	Process Discovery1	Application Deployment Software	Data from Local System1	Data Compressed	Standard Cryptographic Protocol1
Replication Through Removable Media	Exploitation for Client Execution1	Registry Run Keys / Start Folder21	Process Injection411	Disabling Security Tools111	Network Sniffing	Security Software Discovery231	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol1
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Process Injection411	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Application Layer Protocol1
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information4	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	System Information Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Avira: Label: TR/Dropper.Gen
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Avira: Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Avira: Label: TR/Dropper.Gen

Antivirus detection for submitted file

Show sources

Source: image.exe

Avira: Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	virustotal: Detection: 72%	Perma Link
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	metadefender: Detection: 56%	Perma Link
Source: C:\Users\user~1\AppData\Local\Temp\Mdxylb\certmgrqrj8dx.exe	metadefender: Detection: 56%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	metadefender: Detection: 56%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: image.exe	virustotal: Detection: 72%			Perma Link
Source: image.exe	metadefender: Detection: 56%			Perma Link

Antivirus detection for unpacked file

Show sources

Source: 27.2.bnmoc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.bnmoc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 37.2.bnmoc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.bnmoc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 4x nop then pop edi	8_2_0040BB2F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 4x nop then pop esi	8_2_00414690
Source: C:\Windows\System32\msg.exe	Code function: 4x nop then pop esi	15_2_00074690
Source: C:\Windows\System32\msg.exe	Code function: 4x nop then pop edi	15_2_0006BB2F
Source: C:\Windows\System32\cmmon32.exe	Code function: 4x nop then pop esi	24_2_00074690
Source: C:\Windows\System32\cmmon32.exe	Code function: 4x nop then pop edi	24_2_0006BB2F

Networking:

Social media urls found in memory data

Show sources

Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.facebook.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.facebook.com/favicon.ico

Found strings which match to known social media urls

Show sources

Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.evcvnymlarked.review

Urls found in memory or binary data

Show sources

Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1703078184.02CBA000.00000004.sdmp	String found in binary or memory: http://crl.microso
Source: explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmp	String found in binary or memory: http://crl.microsoft$
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000009.00000000.1695567792.015AA000.00000004.sdmp	String found in binary or memory: http://ns.adobedel
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000009.00000000.1698938326.02080000.00000008.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmp	String found in binary or memory: http://www.d-trust.ne
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.1703078184.02CBA000.00000004.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/43.0.1/releasenotes
Source: msg.exe, 0000000F.00000002.1953565207.01ECF000.00000004.sdmp	String found in binary or memory: https://www.wendihutagaol.com/hu/?RN=kBvVMbxNpEnnNAgtDWXnr5DLJDjY6g37u8QPxKjeIinPPfxBfL5X92QC6Wo69Ol

System Summary:

FormBook malware detected

Show sources

Source: C:\Windows\System32\msg.exe	Dropped file: C:\Users\user\AppData\Roaming\K47N66PW\K47logri.ini	Jump to dropped file
Source: C:\Windows\System32\msg.exe	Dropped file: C:\Users\user\AppData\Roaming\K47N66PW\K47logrv.ini	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Dropped file: C:\Users\user\AppData\Roaming\K47N66PW\K47logrf.ini	Jump to dropped file

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: image.exe

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00416B50 NtCreateFile,	8_2_00416B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00416C00 NtReadFile,	8_2_00416C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00416D30 NtAllocateVirtualMemory,	8_2_00416D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00416B4A NtCreateFile,	8_2_00416B4A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00416D2B NtAllocateVirtualMemory,	8_2_00416D2B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716070 NtResumeThread,NtResumeThread,	8_2_00716070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716130 NtSetContextThread,NtSetContextThread,	8_2_00716130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715190 NtCreateFile,NtCreateFile,	8_2_00715190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007152B0 NtCreateSection,NtCreateSection,	8_2_007152B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715390 NtDelayExecution,NtDelayExecution,	8_2_00715390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716460 NtSuspendThread,NtSuspendThread,	8_2_00716460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007155A0 NtFreeVirtualMemory,	8_2_007155A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007157F0 NtMapViewOfSection,NtMapViewOfSection,	8_2_007157F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715C10 NtQueryInformationProcess,NtQueryInformationProcess,	8_2_00715C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715DC0 NtQuerySystemInformation,NtQuerySystemInformation,	8_2_00715DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715E40 NtQueueApcThread,NtQueueApcThread,	8_2_00715E40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00714E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,	8_2_00714E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715EC0 NtReadVirtualMemory,NtReadVirtualMemory,	8_2_00715EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00714EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	8_2_00714EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715E80 NtReadFile,NtReadFile,	8_2_00715E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715090 NtClose,	8_2_00715090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007151D0 NtCreateKey,	8_2_007151D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715270 NtCreateProcessEx,	8_2_00715270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715210 NtCreateMutant,	8_2_00715210
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716200 NtSetInformationFile,	8_2_00716200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007163D0 NtSetValueKey,	8_2_007163D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007154E0 NtEnumerateValueKey,	8_2_007154E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007154B0 NtEnumerateKey,	8_2_007154B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007165E0 NtWaitForSingleObject,	8_2_007165E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007155E0 NtGetContextThread,	8_2_007155E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716580 NtUnmapViewOfSection,	8_2_00716580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716660 NtWriteVirtualMemory,	8_2_00716660
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00716630 NtWriteFile,	8_2_00716630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715860 NtOpenDirectoryObject,	8_2_00715860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715960 NtOpenProcessToken,	8_2_00715960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00715950 NtOpenProcess,	8_2_00715950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716070 NtResumeThread,NtResumeThread,	14_2_00716070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716130 NtSetContextThread,NtSetContextThread,	14_2_00716130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715190 NtCreateFile,NtCreateFile,	14_2_00715190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007152B0 NtCreateSection,NtCreateSection,	14_2_007152B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715390 NtDelayExecution,NtDelayExecution,	14_2_00715390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716460 NtSuspendThread,NtSuspendThread,	14_2_00716460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007155A0 NtFreeVirtualMemory,	14_2_007155A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007157F0 NtMapViewOfSection,NtMapViewOfSection,	14_2_007157F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715C10 NtQueryInformationProcess,NtQueryInformationProcess,	14_2_00715C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715DC0 NtQuerySystemInformation,NtQuerySystemInformation,	14_2_00715DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715E40 NtQueueApcThread,NtQueueApcThread,	14_2_00715E40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00714E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,	14_2_00714E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715EC0 NtReadVirtualMemory,NtReadVirtualMemory,	14_2_00715EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00714EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	14_2_00714EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715E80 NtReadFile,NtReadFile,	14_2_00715E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715090 NtClose,	14_2_00715090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007151D0 NtCreateKey,	14_2_007151D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715270 NtCreateProcessEx,	14_2_00715270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715210 NtCreateMutant,	14_2_00715210
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716200 NtSetInformationFile,	14_2_00716200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007163D0 NtSetValueKey,	14_2_007163D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007154E0 NtEnumerateValueKey,	14_2_007154E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007154B0 NtEnumerateKey,	14_2_007154B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007155E0 NtGetContextThread,	14_2_007155E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007165E0 NtWaitForSingleObject,	14_2_007165E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716580 NtUnmapViewOfSection,	14_2_00716580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716660 NtWriteVirtualMemory,	14_2_00716660
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00716630 NtWriteFile,	14_2_00716630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715860 NtOpenDirectoryObject,	14_2_00715860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715960 NtOpenProcessToken,	14_2_00715960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715950 NtOpenProcess,	14_2_00715950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007159D0 NtOpenThread,	14_2_007159D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715AE0 NtProtectVirtualMemory,	14_2_00715AE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715BE0 NtQueryInformationFile,	14_2_00715BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715C40 NtQueryInformationToken,	14_2_00715C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715D50 NtQuerySection,	14_2_00715D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715E20 NtQueryVirtualMemory,	14_2_00715E20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00715E10 NtQueryValueKey,	14_2_00715E10
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616130 NtSetContextThread,NtSetContextThread,	15_2_01616130
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016151D0 NtCreateKey,NtCreateKey,	15_2_016151D0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615190 NtCreateFile,NtCreateFile,	15_2_01615190
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616070 NtResumeThread,NtResumeThread,	15_2_01616070
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016163D0 NtSetValueKey,NtSetValueKey,	15_2_016163D0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615390 NtDelayExecution,NtDelayExecution,	15_2_01615390
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616200 NtSetInformationFile,NtSetInformationFile,	15_2_01616200
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615210 NtCreateMutant,NtCreateMutant,	15_2_01615210
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016152B0 NtCreateSection,NtCreateSection,	15_2_016152B0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016165E0 NtWaitForSingleObject,	15_2_016165E0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016155A0 NtFreeVirtualMemory,	15_2_016155A0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616460 NtSuspendThread,NtSuspendThread,	15_2_01616460
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016154E0 NtEnumerateValueKey,NtEnumerateValueKey,	15_2_016154E0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016157F0 NtMapViewOfSection,NtMapViewOfSection,	15_2_016157F0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616630 NtWriteFile,NtWriteFile,	15_2_01616630
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615DC0 NtQuerySystemInformation,NtQuerySystemInformation,	15_2_01615DC0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615C40 NtQueryInformationToken,NtQueryInformationToken,	15_2_01615C40
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615C10 NtQueryInformationProcess,NtQueryInformationProcess,	15_2_01615C10
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615E40 NtQueueApcThread,NtQueueApcThread,	15_2_01615E40
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01614E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,	15_2_01614E30
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615E10 NtQueryValueKey,NtQueryValueKey,	15_2_01615E10
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615EC0 NtReadVirtualMemory,NtReadVirtualMemory,	15_2_01615EC0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01614EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	15_2_01614EA0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615E80 NtReadFile,NtReadFile,	15_2_01615E80
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615090 NtClose,	15_2_01615090
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615270 NtCreateProcessEx,	15_2_01615270
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016155E0 NtGetContextThread,	15_2_016155E0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616580 NtUnmapViewOfSection,	15_2_01616580
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016154B0 NtEnumerateKey,	15_2_016154B0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01616660 NtWriteVirtualMemory,	15_2_01616660
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615960 NtOpenProcessToken,	15_2_01615960
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615950 NtOpenProcess,	15_2_01615950
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016159D0 NtOpenThread,	15_2_016159D0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615860 NtOpenDirectoryObject,	15_2_01615860
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615BE0 NtQueryInformationFile,	15_2_01615BE0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615AE0 NtProtectVirtualMemory,	15_2_01615AE0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615D50 NtQuerySection,	15_2_01615D50
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01615E20 NtQueryVirtualMemory,	15_2_01615E20
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00076B50 NtCreateFile,	15_2_00076B50
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00076C00 NtReadFile,	15_2_00076C00
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00076D30 NtAllocateVirtualMemory,	15_2_00076D30
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00076B4A NtCreateFile,	15_2_00076B4A
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00076D2B NtAllocateVirtualMemory,	15_2_00076D2B
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775210 NtCreateMutant,NtCreateMutant,	24_2_00775210
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007755A0 NtFreeVirtualMemory,	24_2_007755A0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775C10 NtQueryInformationProcess,NtQueryInformationProcess,	24_2_00775C10
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775DC0 NtQuerySystemInformation,NtQuerySystemInformation,	24_2_00775DC0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00774E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,	24_2_00774E30
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00774EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	24_2_00774EA0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776070 NtResumeThread,	24_2_00776070
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775090 NtClose,	24_2_00775090
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776130 NtSetContextThread,	24_2_00776130
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007751D0 NtCreateKey,	24_2_007751D0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775190 NtCreateFile,	24_2_00775190
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775270 NtCreateProcessEx,	24_2_00775270
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776200 NtSetInformationFile,	24_2_00776200
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007752B0 NtCreateSection,	24_2_007752B0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007763D0 NtSetValueKey,	24_2_007763D0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775390 NtDelayExecution,	24_2_00775390
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776460 NtSuspendThread,	24_2_00776460
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007754E0 NtEnumerateValueKey,	24_2_007754E0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007754B0 NtEnumerateKey,	24_2_007754B0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007755E0 NtGetContextThread,	24_2_007755E0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007765E0 NtWaitForSingleObject,	24_2_007765E0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776580 NtUnmapViewOfSection,	24_2_00776580
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776660 NtWriteVirtualMemory,	24_2_00776660
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00776630 NtWriteFile,	24_2_00776630
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007757F0 NtMapViewOfSection,	24_2_007757F0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775860 NtOpenDirectoryObject,	24_2_00775860
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775960 NtOpenProcessToken,	24_2_00775960
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775950 NtOpenProcess,	24_2_00775950
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007759D0 NtOpenThread,	24_2_007759D0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775AE0 NtProtectVirtualMemory,	24_2_00775AE0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775BE0 NtQueryInformationFile,	24_2_00775BE0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775C40 NtQueryInformationToken,	24_2_00775C40
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775D50 NtQuerySection,	24_2_00775D50
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775E40 NtQueueApcThread,	24_2_00775E40
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775E20 NtQueryVirtualMemory,	24_2_00775E20
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775E10 NtQueryValueKey,	24_2_00775E10
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775EC0 NtReadVirtualMemory,	24_2_00775EC0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00775E80 NtReadFile,	24_2_00775E80
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00076B50 NtCreateFile,	24_2_00076B50
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00076C00 NtReadFile,	24_2_00076C00
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00076D30 NtAllocateVirtualMemory,	24_2_00076D30
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00076B4A NtCreateFile,	24_2_00076B4A
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00076D2B NtAllocateVirtualMemory,	24_2_00076D2B

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_004078EC	8_2_004078EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_004078F0	8_2_004078F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041AA47	8_2_0041AA47
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00419AB3	8_2_00419AB3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041A3B4	8_2_0041A3B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041ACA0	8_2_0041ACA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041A64A	8_2_0041A64A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00419E86	8_2_00419E86
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006D7078	8_2_006D7078
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00727015	8_2_00727015
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0079B0E7	8_2_0079B0E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007950A5	8_2_007950A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006F3109	8_2_006F3109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006F91F7	8_2_006F91F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007372C3	8_2_007372C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006D83EB	8_2_006D83EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0072645A	8_2_0072645A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006FC447	8_2_006FC447
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007A0404	8_2_007A0404
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006D44FC	8_2_006D44FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007324E1	8_2_007324E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006FE4D7	8_2_006FE4D7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00796500	8_2_00796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0072B594	8_2_0072B594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_006E96B9	8_2_006E96B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007036AC	8_2_007036AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007277C8	8_2_007277C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_007978EA	8_2_007978EA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00743951	8_2_00743951
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006D7078	14_2_006D7078
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00727015	14_2_00727015
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0079B0E7	14_2_0079B0E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007950A5	14_2_007950A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006F3109	14_2_006F3109
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006F91F7	14_2_006F91F7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00792250	14_2_00792250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007372C3	14_2_007372C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006D83EB	14_2_006D83EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006FC447	14_2_006FC447
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0072645A	14_2_0072645A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007A0404	14_2_007A0404
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006D44FC	14_2_006D44FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007324E1	14_2_007324E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006FE4D7	14_2_006FE4D7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00796500	14_2_00796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0072B594	14_2_0072B594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006E96B9	14_2_006E96B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007036AC	14_2_007036AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007277C8	14_2_007277C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007978EA	14_2_007978EA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0077C889	14_2_0077C889
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0074B974	14_2_0074B974
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00743951	14_2_00743951
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0072595C	14_2_0072595C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00791907	14_2_00791907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007229EE	14_2_007229EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_007A4990	14_2_007A4990
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006F3984	14_2_006F3984
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00729A68	14_2_00729A68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00722ADC	14_2_00722ADC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006F0BFB	14_2_006F0BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00794BBA	14_2_00794BBA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006DCBA7	14_2_006DCBA7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0073FBA6	14_2_0073FBA6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0077DB95	14_2_0077DB95
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00795C56	14_2_00795C56
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006FDCFB	14_2_006FDCFB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00735CCD	14_2_00735CCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0077DD51	14_2_0077DD51
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00725DD8	14_2_00725DD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006E0E52	14_2_006E0E52
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_0074AEF5	14_2_0074AEF5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006EEEC7	14_2_006EEEC7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00771F48	14_2_00771F48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00741FDB	14_2_00741FDB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006FDFD4	14_2_006FDFD4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00727FAB	14_2_00727FAB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_006D9F90	14_2_006D9F90
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015F3109	15_2_015F3109
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015F91F7	15_2_015F91F7
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015D7078	15_2_015D7078
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01627015	15_2_01627015
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0169B0E7	15_2_0169B0E7
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016950A5	15_2_016950A5
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015D83EB	15_2_015D83EB
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01696500	15_2_01696500
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0162B594	15_2_0162B594
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015FC447	15_2_015FC447
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0162645A	15_2_0162645A
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016A0404	15_2_016A0404
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016324E1	15_2_016324E1
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015FE4D7	15_2_015FE4D7
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015D44FC	15_2_015D44FC
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016277C8	15_2_016277C8
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016036AC	15_2_016036AC
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015E96B9	15_2_015E96B9
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01643951	15_2_01643951
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0162595C	15_2_0162595C
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01691907	15_2_01691907
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016229EE	15_2_016229EE
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015F3984	15_2_015F3984
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016A4990	15_2_016A4990
Source: C:\Windows\System32\msg.exe	Code function: 15_2_016978EA	15_2_016978EA
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015F0BFB	15_2_015F0BFB
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0163FBA6	15_2_0163FBA6
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01694BBA	15_2_01694BBA
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0167DB95	15_2_0167DB95
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015DCBA7	15_2_015DCBA7
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01629A68	15_2_01629A68
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01622ADC	15_2_01622ADC
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0167DD51	15_2_0167DD51
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01625DD8	15_2_01625DD8
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01695C56	15_2_01695C56
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015FDCFB	15_2_015FDCFB
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01635CCD	15_2_01635CCD
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015FDFD4	15_2_015FDFD4
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01627FAB	15_2_01627FAB
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015D9F90	15_2_015D9F90
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015E0E52	15_2_015E0E52
Source: C:\Windows\System32\msg.exe	Code function: 15_2_015EEEC7	15_2_015EEEC7
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007A64B	15_2_0007A64B
Source: C:\Windows\System32\msg.exe	Code function: 15_2_000678EC	15_2_000678EC
Source: C:\Windows\System32\msg.exe	Code function: 15_2_000678F0	15_2_000678F0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007AA47	15_2_0007AA47
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00079AB3	15_2_00079AB3
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007ACA0	15_2_0007ACA0
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00079E86	15_2_00079E86
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00737078	24_2_00737078
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00787015	24_2_00787015
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007FB0E7	24_2_007FB0E7
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F50A5	24_2_007F50A5
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00753109	24_2_00753109
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007591F7	24_2_007591F7
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F2250	24_2_007F2250
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007972C3	24_2_007972C3
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007383EB	24_2_007383EB
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0078645A	24_2_0078645A
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0075C447	24_2_0075C447
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00800404	24_2_00800404
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007344FC	24_2_007344FC
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007924E1	24_2_007924E1
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0075E4D7	24_2_0075E4D7
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F6500	24_2_007F6500
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0078B594	24_2_0078B594
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007496B9	24_2_007496B9
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007636AC	24_2_007636AC
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007877C8	24_2_007877C8
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F78EA	24_2_007F78EA
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007DC889	24_2_007DC889
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007AB974	24_2_007AB974
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00804990	24_2_00804990
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0078595C	24_2_0078595C
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007A3951	24_2_007A3951
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F1907	24_2_007F1907
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007829EE	24_2_007829EE
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00753984	24_2_00753984
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00789A68	24_2_00789A68
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00782ADC	24_2_00782ADC
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00750BFB	24_2_00750BFB
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F4BBA	24_2_007F4BBA
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0073CBA7	24_2_0073CBA7
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0079FBA6	24_2_0079FBA6
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007DDB95	24_2_007DDB95
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007F5C56	24_2_007F5C56
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0075DCFB	24_2_0075DCFB
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00795CCD	24_2_00795CCD
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007DDD51	24_2_007DDD51
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00785DD8	24_2_00785DD8
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00740E52	24_2_00740E52
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007AAEF5	24_2_007AAEF5
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0074EEC7	24_2_0074EEC7
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007D1F48	24_2_007D1F48
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0075DFD4	24_2_0075DFD4
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_007A1FDB	24_2_007A1FDB
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00787FAB	24_2_00787FAB
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00739F90	24_2_00739F90
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0007A64B	24_2_0007A64B
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_000678EC	24_2_000678EC
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_000678F0	24_2_000678F0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0007AA47	24_2_0007AA47
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00079AB3	24_2_00079AB3
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0007ACA0	24_2_0007ACA0
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00079E86	24_2_00079E86

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\System32\cmmon32.exe	Code function: String function: 00782824 appears 79 times
Source: C:\Windows\System32\cmmon32.exe	Code function: String function: 00751ACE appears 132 times
Source: C:\Windows\System32\cmmon32.exe	Code function: String function: 0074F63B appears 239 times
Source: C:\Windows\System32\cmmon32.exe	Code function: String function: 00763D00 appears 41 times
Source: C:\Windows\System32\cmmon32.exe	Code function: String function: 007CF3E2 appears 83 times
Source: C:\Windows\System32\msg.exe	Code function: String function: 01603D00 appears 38 times
Source: C:\Windows\System32\msg.exe	Code function: String function: 01622824 appears 70 times
Source: C:\Windows\System32\msg.exe	Code function: String function: 0166F3E2 appears 64 times
Source: C:\Windows\System32\msg.exe	Code function: String function: 015F1ACE appears 99 times
Source: C:\Windows\System32\msg.exe	Code function: String function: 015EF63B appears 213 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: String function: 0076F3E2 appears 125 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: String function: 006F1ACE appears 205 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: String function: 006EF63B appears 372 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: String function: 007172D0 appears 44 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: String function: 00703D00 appears 61 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: String function: 00722824 appears 122 times

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: image.exe, 00000000.00000002.1668259647.002A8000.00000004.sdmp	Binary or memory string: OriginalFilenamebnm.exe4 vs image.exe
Source: image.exe, 00000000.00000002.1668108691.00263000.00000004.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs image.exe
Source: image.exe, 00000000.00000002.1669437521.00510000.00000004.sdmp	Binary or memory string: OriginalFilenameRunPEDll.dll2 vs image.exe
Source: image.exe, 00000000.00000002.1669910969.013B0000.00000002.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs image.exe
Source: image.exe, 00000000.00000002.1672009462.02A97000.00000004.sdmp	Binary or memory string: OriginalFilenamestub.exe4 vs image.exe
Source: image.exe	Binary or memory string: OriginalFilenamebnm.exe4 vs image.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\image.exe

File read: C:\Users\user\Desktop\image.exe

Jump to behavior

Searches the installation path of Mozilla Firefox

Show sources

Source: C:\Windows\System32\msg.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\43.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\msg.exe	Section loaded: mozglue.dll			Jump to behavior
Source: C:\Windows\System32\msg.exe	Section loaded: winsqlite3.dll			Jump to behavior

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd'

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Show sources

Source: image.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bnmoc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: certmgrqrj8dx.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: certmgrqrj8dx.exe0.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bnmoc.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Show sources

Source: classification engine

Classification label: mal100.adwa.spyw.evad.winEXE@63/14@6/0

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\System32\msg.exe

Code function: 15_2_0006FB80 CoInitialize,CoCreateInstance,OleUninitialize,

15_2_0006FB80

Creates files inside the program directory

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Program Files\Mdxylb

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\image.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Jump to behavior

Creates temporary files

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

File created: C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ........P#..........M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].......Ww4...H...`.....,.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................0.......4....s..........................P......o........\...j.]w...o....t........E.I....l...	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..T...................0.....0.......4....s..................................\...j.]w...o.......o......T.~....,.I....t...	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................0.......4....s......................................\...j.]w...o...o....x........E.I....p...	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................0.......4....s..............................C\.wPY.wl..............oh............E.I........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........4......w@..Ix.(.....................(...x......wX...	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..T...................0.....0.......4...-s..........................\...........`.(..............((...T.....5...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ............................0.......4...fs...........................r.P.(.H.....(.P.(..r....oh............E.I........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.................@..I8......w@..Ix.(.........(...x......wX...	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................e.x.i.t.........4...rs..........................\...........;..w............P.(.\|.......5...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.............4....w..........................D...........!...@@ ....."..m$............FWJ........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........t....o/.....V.UJ............t.........WwH...&...`.....,.....	Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: image.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Users\user\Desktop\image.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\image.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: image.exe	virustotal: Detection: 72%
Source: image.exe	metadefender: Detection: 56%

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\image.exe 'C:\Users\user\Desktop\image.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Windows\System32\msg.exe C:\Windows\System32\msg.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt \| cmd
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt '
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Source: unknown	Process created: C:\Windows\System32\cmmon32.exe C:\Windows\System32\cmmon32.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Windows\System32\raserver.exe C:\Windows\System32\raserver.exe
Source: unknown	Process created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe C:\Program Files\Mdxylb\certmgrqrj8dx.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: unknown	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: unknown	Process created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exe
Source: unknown	Process created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe 'C:\Program Files\Mdxylb\certmgrqrj8dx.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Users\user\Desktop\image.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\msg.exe C:\Windows\System32\msg.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt \| cmd	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmmon32.exe C:\Windows\System32\cmmon32.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\raserver.exe C:\Windows\System32\raserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe 'C:\Program Files\Mdxylb\certmgrqrj8dx.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\System32\msg.exe

File written: C:\Users\user\AppData\Roaming\K47N66PW\K47logri.ini

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Users\user\Desktop\image.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\explorer.exe	Directory created: C:\Program Files\Mdxylb			Jump to behavior
Source: C:\Windows\explorer.exe	Directory created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe			Jump to behavior

PE file contains a COM descriptor data directory

Show sources

Source: image.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\image.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: image.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: cmmon32.pdb source: bnmoc.exe, 00000008.00000002.1737711731.002B4000.00000004.sdmp
Source:	Binary string: cmmon32.pdbr2v source: bnmoc.exe, 00000008.00000002.1737711731.002B4000.00000004.sdmp
Source:	Binary string: msg.pdb source: bnmoc.exe, 0000000E.00000002.1723167362.002E4000.00000004.sdmp
Source:	Binary string: ntdll.pdb source: bnmoc.exe, msg.exe, cmmon32.exe
Source:	Binary string: ntdll.pdb3 source: bnmoc.exe, 00000008.00000003.1672350373.00430000.00000004.sdmp, bnmoc.exe, 0000000E.00000003.1694753168.00430000.00000004.sdmp
Source:	Binary string: objs\libjsoundds\jsoundds.pdb source: explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: image.exe, 00000000.00000002.1669910969.013B0000.00000002.sdmp, bnmoc.exe, 00000004.00000002.1675328490.005A0000.00000002.sdmp, bnmoc.exe, 0000000A.00000002.1697347055.01410000.00000002.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Unpacked PE file: 8.2.bnmoc.exe.20000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Unpacked PE file: 14.2.bnmoc.exe.20000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_004199C5 push eax; ret	8_2_00419A18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0040B9A1 push eax; ret	8_2_0040B9A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00419A7C push eax; ret	8_2_00419A82
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00419A12 push eax; ret	8_2_00419A18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00419A1B push eax; ret	8_2_00419A82
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00413A3D push edi; iretd	8_2_00413A3E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041AE22 push ebp; ret	8_2_0041AE23
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_004186E2 push dword ptr [esi-6EDD6829h]; ret	8_2_004186EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041AF64 push 83D481C5h; ret	8_2_0041AF69
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_0041AF7C push edi; retf	8_2_0041AF7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 8_2_00722869 push ecx; ret	8_2_0072287C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Code function: 14_2_00722869 push ecx; ret	14_2_0072287C
Source: C:\Windows\System32\msg.exe	Code function: 15_2_01622869 push ecx; ret	15_2_0162287C
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007A3C4 push cs; iretd	15_2_0007A3C5
Source: C:\Windows\System32\msg.exe	Code function: 15_2_000786E2 push dword ptr [esi-6EDD6829h]; ret	15_2_000786EB
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0006B9A1 push eax; ret	15_2_0006B9A8
Source: C:\Windows\System32\msg.exe	Code function: 15_2_000799C5 push eax; ret	15_2_00079A18
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00079A12 push eax; ret	15_2_00079A18
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00079A1B push eax; ret	15_2_00079A82
Source: C:\Windows\System32\msg.exe	Code function: 15_2_00079A7C push eax; ret	15_2_00079A82
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007AE22 push ebp; ret	15_2_0007AE23
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007AF64 push 83D481C5h; ret	15_2_0007AF69
Source: C:\Windows\System32\msg.exe	Code function: 15_2_0007AF7C push edi; retf	15_2_0007AF7D
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00782869 push ecx; ret	24_2_0078287C
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0007A3C4 push cs; iretd	24_2_0007A3C5
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_000786E2 push dword ptr [esi-6EDD6829h]; ret	24_2_000786EB
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_0006B9A1 push eax; ret	24_2_0006B9A8
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_000799C5 push eax; ret	24_2_00079A18
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00079A12 push eax; ret	24_2_00079A18
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00079A1B push eax; ret	24_2_00079A82
Source: C:\Windows\System32\cmmon32.exe	Code function: 24_2_00073A3D push edi; iretd	24_2_00073A3E

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .text entropy: 7.38254453232
Source: initial sample	Static PE information: section name: .text entropy: 7.38254453232
Source: initial sample	Static PE information: section name: .text entropy: 7.38254453232
Source: initial sample	Static PE information: section name: .text entropy: 7.38254453232
Source: initial sample	Static PE information: section name: .text entropy: 7.38254453232

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Show sources

Source: C:\Windows\explorer.exe	File created: C:\Users\user~1\AppData\Local\Temp\Mdxylb\certmgrqrj8dx.exe	Jump to dropped file
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Jump to dropped file

Boot Survival:

Creates multiple autostart registry keys

Show sources

Source: C:\Windows\System32\msg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZC			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasa			Jump to behavior

Drops PE files to the startup folder

Show sources

Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Users\user\Desktop\image.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Users\user\Desktop\image.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasa	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasa	Jump to behavior
Source: C:\Windows\System32\msg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZC	Jump to behavior
Source: C:\Windows\System32\msg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZC	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking system information)

Show sources

Source: C:\Windows\System32\cmmon32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,ExitProcess

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: image.exe, 00000000.00000002.1671280586.01A20000.00000004.sdmp, bnmoc.exe, 00000004.00000002.1676704295.01EA0000.00000004.sdmp, bnmoc.exe, 0000000A.00000002.1699513950.01960000.00000004.sdmp

Binary or memory string: SBIEDLL.DLL

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Code function: 8_2_004073E0 rdtsc

8_2_004073E0

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\Desktop\image.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\image.exe TID: 2304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 2368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3828	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3828	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 1888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msg.exe TID: 2240	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 3420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe TID: 3584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe TID: 3080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe TID: 3756	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\msg.exe

Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: explorer.exe, 00000009.00000000.1705084626.04740000.00000004.sdmp

Binary or memory string: vmbusres.dll,

Queries a list of all running processes

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Found API chain indicative of debugger detection

Show sources

Source: C:\Windows\System32\cmmon32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Checks for debuggers (devices)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_windows_start_menu_programs_startup_8dae6c61b8a77b32.cdf-ms
Source: C:\Windows\explorer.exe	File opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Source: C:\Windows\explorer.exe	File opened: C:\Windows\WinSxS\FileMaps\program_files_mdxylb_5f43f4ec563088db.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\cmmon32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\raserver.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process queried: DebugPort
Source: C:\Windows\System32\msdt.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Code function: 8_2_004073E0 rdtsc

8_2_004073E0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Code function: 8_2_00408420 LdrLoadDll,

8_2_00408420

Enables debug privileges

Show sources

Source: C:\Users\user\Desktop\image.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\cmmon32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\raserver.exe	Process token adjusted: Debug
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process token adjusted: Debug
Source: C:\Windows\System32\msdt.exe	Process token adjusted: Debug
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\Desktop\image.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: certmgrqrj8dx.exe.9.dr

Jump to dropped file

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Section loaded: unknown target pid: 3768 protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 2268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 3768	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 3768	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 4016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 3768	Jump to behavior
Source: C:\Windows\System32\msg.exe	Thread register set: target process: 3768	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 1264	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 3768	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 3144
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Thread register set: target process: 3768

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\image.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\msg.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt '	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'	Jump to behavior
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Source: C:\Program Files\Mdxylb\certmgrqrj8dx.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 00000009.00000000.1695133822.00840000.00000002.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.1695133822.00840000.00000002.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.1695133822.00840000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	Binary or memory string: Progmanp

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\System32\msg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\System32\msg.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
16:37:08	API Interceptor	5232x Sleep call for process: image.exe modified
16:37:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
16:37:10	API Interceptor	8x Sleep call for process: bnmoc.exe modified
16:37:14	API Interceptor	737x Sleep call for process: explorer.exe modified
16:37:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bnmocxzasa cmd /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt \| cmd
16:37:35	API Interceptor	1x Sleep call for process: msg.exe modified
16:37:40	API Interceptor	1x Sleep call for process: cmmon32.exe modified
16:37:49	API Interceptor	1x Sleep call for process: raserver.exe modified
16:38:36	API Interceptor	2x Sleep call for process: certmgrqrj8dx.exe modified
16:38:43	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run LHD0DBCHQZC C:\Program Files\Mdxylb\certmgrqrj8dx.exe
16:38:49	API Interceptor	1x Sleep call for process: msdt.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
image.exe	73%	virustotal		Browse
image.exe	57%	metadefender		Browse
image.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Mdxylb\certmgrqrj8dx.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files\Mdxylb\certmgrqrj8dx.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files\Mdxylb\certmgrqrj8dx.exe	73%	virustotal		Browse
C:\Program Files\Mdxylb\certmgrqrj8dx.exe	57%	metadefender		Browse
C:\Users\user~1\AppData\Local\Temp\Mdxylb\certmgrqrj8dx.exe	57%	metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe	57%	metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
37.2.bnmoc.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
14.1.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
10.0.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
29.0.certmgrqrj8dx.exe.1160000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
8.2.bnmoc.exe.1240000.3.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
14.0.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
39.1.certmgrqrj8dx.exe.11c0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
27.2.bnmoc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
27.2.bnmoc.exe.1240000.3.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
14.2.bnmoc.exe.1240000.3.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
14.2.bnmoc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
37.2.bnmoc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
20.1.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
20.0.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
10.1.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
8.1.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
0.0.image.exe.1350000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
27.0.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
8.2.bnmoc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
27.1.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
32.0.bnmoc.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
4.0.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
4.1.bnmoc.exe.1240000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
29.1.certmgrqrj8dx.exe.1160000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
37.1.bnmoc.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
0.1.image.exe.1350000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
39.0.certmgrqrj8dx.exe.11c0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
32.1.bnmoc.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File
37.0.bnmoc.exe.a0000.0.unpack	100%	Avira	HEUR/AGEN.1029316	Download File

Domains

Source	Detection	Scanner	Link	Download
www.wendihutagaol.com	0%	virustotal	Browse	Download File
www.specialedtutors.com	0%	virustotal	Browse	Download File
www.evcvnymlarked.review	0%	virustotal	Browse	Download File

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

image.exe (PID: 2528 cmdline: 'C:\Users\user\Desktop\image.exe' MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 896 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

bnmoc.exe (PID: 396 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 2860 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 1908 cmdline: reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' MD5: D69A9ABBB0D795F21995C2F48C1EB560)

bnmoc.exe (PID: 2268 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

explorer.exe (PID: 3768 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

bnmoc.exe (PID: 1868 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 2908 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 2932 cmdline: reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' MD5: D69A9ABBB0D795F21995C2F48C1EB560)

bnmoc.exe (PID: 4016 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

msg.exe (PID: 4064 cmdline: C:\Windows\System32\msg.exe MD5: 835982D4DB80A9CC114E34E34E90E2A0)

cmd.exe (PID: 3004 cmdline: /c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

firefox.exe (PID: 524 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: 7F0E061F5B6F311013968503D4C1D052)

cmd.exe (PID: 1900 cmdline: 'C:\Windows\system32\cmd.exe' /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt | cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2960 cmdline: C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt ' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3956 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

bnmoc.exe (PID: 2852 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 1992 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 1884 cmdline: reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' MD5: D69A9ABBB0D795F21995C2F48C1EB560)

bnmoc.exe (PID: 1264 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

cmmon32.exe (PID: 2360 cmdline: C:\Windows\System32\cmmon32.exe MD5: EA7BAAB0792C846DE451001FAE0FBD5F)

raserver.exe (PID: 2964 cmdline: C:\Windows\System32\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)

certmgrqrj8dx.exe (PID: 1800 cmdline: C:\Program Files\Mdxylb\certmgrqrj8dx.exe MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 1876 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

bnmoc.exe (PID: 2920 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 1360 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 2496 cmdline: reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' | cmd' MD5: D69A9ABBB0D795F21995C2F48C1EB560)

bnmoc.exe (PID: 3144 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe' MD5: 287782734F94678617B7028B029320AB)

msdt.exe (PID: 3444 cmdline: C:\Windows\System32\msdt.exe MD5: F67A64C46DE10425045AF682802F5BA6)

certmgrqrj8dx.exe (PID: 2352 cmdline: 'C:\Program Files\Mdxylb\certmgrqrj8dx.exe' MD5: 287782734F94678617B7028B029320AB)

cmd.exe (PID: 3416 cmdline: cmd MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Created / dropped Files

C:\Program Files\Mdxylb\certmgrqrj8dx.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	309760
Entropy (8bit):	7.358279860983715
Encrypted:	false
MD5:	287782734F94678617B7028B029320AB
SHA1:	65A981AA37EB961D93A90CEFCF90560B30137AA4
SHA-256:	1FC2354D39643163CDF9DB2C8859CDDF7F92710495B66C9297F53A36A0F0A95F
SHA-512:	6F1B8DC8910600060FFF2F98BFA54D57BFB893FF3B64B615F99A66DE4571143EE698225DFE6AC35DD2CF688E47B7F5087F13791BBDAC43AE84A0A10191C74FC0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse Antivirus: Avira, Detection: 100%, Browse Antivirus: virustotal, Detection: 73%, Browse Antivirus: metadefender, Detection: 57%, Browse

C:\Users\user~1\AppData\Local\Temp\Mdxylb\certmgrqrj8dx.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	309760
Entropy (8bit):	7.358279860983715
Encrypted:	false
MD5:	287782734F94678617B7028B029320AB
SHA1:	65A981AA37EB961D93A90CEFCF90560B30137AA4
SHA-256:	1FC2354D39643163CDF9DB2C8859CDDF7F92710495B66C9297F53A36A0F0A95F
SHA-512:	6F1B8DC8910600060FFF2F98BFA54D57BFB893FF3B64B615F99A66DE4571143EE698225DFE6AC35DD2CF688E47B7F5087F13791BBDAC43AE84A0A10191C74FC0
Malicious:	true
Antivirus:	Antivirus: metadefender, Detection: 57%, Browse

C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	103
Entropy (8bit):	4.773222980565118
Encrypted:	false
MD5:	E0CE0B0EDC14B6209A6656C5D2E392E7
SHA1:	10101FDE740B16AAAA9CA1294E45B22DEE29A872
SHA-256:	2F233F11954F6639EFF6249A78EDF640898811C5C69E6296FDF8B2913143755C
SHA-512:	E840E3900E28530CA3647EE3514CCBA20B078635381DECE042EACBCA5A1E578143C084F9E83CBCB1F7894F08089322A016E75027A27BD8DCB1DD8C6EF26F07A8
Malicious:	false

C:\Users\user\AppData\Roaming\K47N66PW\K47logim.jpeg Download File
Process:	C:\Windows\System32\msg.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Size (bytes):	83303
Entropy (8bit):	7.630189055060992
Encrypted:	false
MD5:	E2662C89CAEA5ED6DDB9647CA71FC073
SHA1:	56CF437F1199A497199209BD1CB3E81D74D2B443
SHA-256:	E7D007C705B23F810DE1E9AD1150EE7376AB9C4A624E5AC6B0F60CA7BC0D8E04
SHA-512:	9CAC7903B4586C7A340F7BA861A7B0FD6BA690E38D10F1E7B3B095A7FDB2265A0A000733D4982970F6242058A044DF87C61928093F8EFD20372AF177E0DB1AA5
Malicious:	false

C:\Users\user\AppData\Roaming\K47N66PW\K47logrf.ini Download File
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
MD5:	2F245469795B865BDD1B956C23D7893D
SHA1:	6AD80B974D3808F5A20EA1E766C7D2F88B9E5895
SHA-256:	1662D01A2D47B875A34FC7A8CD92E78CB2BA7F34023C7FD2639CBB10B8D94361
SHA-512:	909F189846A5D2DB208A5EB2E7CB3042C0F164CAF437E2B1B6DE608C0A70E4F3510B81B85753DBEEC1E211E6A83E6EA8C96AFF896E9B6E8ED42014473A54DC4F
Malicious:	true

C:\Users\user\AppData\Roaming\K47N66PW\K47logri.ini Download File
Process:	C:\Windows\System32\msg.exe
File Type:	data
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true

C:\Users\user\AppData\Roaming\K47N66PW\K47logrv.ini Download File
Process:	C:\Windows\System32\msg.exe
File Type:	data
Size (bytes):	40
Entropy (8bit):	2.96096404744368
Encrypted:	false
MD5:	BA3B6BC807D4F76794C4B81B09BB9BA5
SHA1:	24CB89501F0212FF3095ECC0ABA97DD563718FB1
SHA-256:	6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
SHA-512:	ECD07E601FC9E3CFC39ADDD7BD6F3D7F7FF3253AFB40BF536E9EAAC5A4C243E5EC40FBFD7B216CB0EA29F2517419601E335E33BA19DEA4A46F65E38694D465BF
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe Download File
Process:	C:\Program Files\Mdxylb\certmgrqrj8dx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	309760
Entropy (8bit):	7.358279860983715
Encrypted:	false
MD5:	287782734F94678617B7028B029320AB
SHA1:	65A981AA37EB961D93A90CEFCF90560B30137AA4
SHA-256:	1FC2354D39643163CDF9DB2C8859CDDF7F92710495B66C9297F53A36A0F0A95F
SHA-512:	6F1B8DC8910600060FFF2F98BFA54D57BFB893FF3B64B615F99A66DE4571143EE698225DFE6AC35DD2CF688E47B7F5087F13791BBDAC43AE84A0A10191C74FC0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse Antivirus: metadefender, Detection: 57%, Browse

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\image.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wendihutagaol.com	unknown	unknown	true	0%, virustotal, Browse	unknown
www.specialedtutors.com	unknown	unknown	true	0%, virustotal, Browse	unknown
www.evcvnymlarked.review	unknown	unknown	true	0%, virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.mercadolivre.com.br/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.ebay.de/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.mtv.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.rambler.ru/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.nifty.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.dailymail.co.uk/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www3.fnac.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://buscar.ya.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.sogou.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://asp.usatoday.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://fr.search.yahoo.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://rover.ebay.com	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://in.search.yahoo.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://crl.microso	explorer.exe, 00000009.00000000.1703078184.02CBA000.00000004.sdmp	false	high
http://search.ebay.in/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.autoitscript.com/autoit3	explorer.exe, 00000009.00000000.1694243707.0011D000.00000004.sdmp	false	high
http://%s.com	explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	false	high
http://msk.afisha.ru/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.rediff.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.ya.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://it.search.dada.net/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.naver.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.google.ru/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.abril.com.br/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.daum.net/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.naver.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.clarin.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://buscar.ozu.es/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://kr.search.yahoo.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.about.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://busca.igbusca.com.br/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.ask.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.cjmall.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.centrum.cz/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://suche.t-online.de/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.google.it/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.auction.co.kr/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.ceneo.pl/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.amazon.de/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://sads.myspace.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://google.pchome.com.tw/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://uk.search.yahoo.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://espanol.search.yahoo.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.ozu.es/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.sify.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.ebay.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.gmarket.co.kr/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.nifty.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://searchresults.news.com.au/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.google.si/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.google.cz/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.soso.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.univision.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.ebay.it/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.asharqalawsat.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://busca.orange.es/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000009.00000000.1692977138.06EE0000.00000008.sdmp	false	high
http://search.yahoo.co.jp	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.target.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://buscador.terra.es/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.iask.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.tesco.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.seznam.cz/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.interpark.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.espn.go.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.d-trust.ne	explorer.exe, 00000009.00000000.1706215274.0498C000.00000004.sdmp	false	high
http://www.myspace.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://p.zhongsou.com/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://service2.bfast.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.%s.comPA	explorer.exe, 00000009.00000000.1698938326.02080000.00000008.sdmp	false	high
http://ariadna.elmundo.es/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.news.com.au/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.cdiscount.com/	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high
http://www.tiscali.it/favicon.ico	explorer.exe, 00000009.00000000.1693148616.06F99000.00000008.sdmp	false	high

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.358279860983715
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	image.exe
File size:	309760
MD5:	287782734f94678617b7028b029320ab
SHA1:	65a981aa37eb961d93a90cefcf90560b30137aa4
SHA256:	1fc2354d39643163cdf9db2c8859cddf7f92710495b66c9297f53a36a0f0a95f
SHA512:	6f1b8dc8910600060fff2f98bfa54d57bfb893ff3b64b615f99a66de4571143ee698225dfe6ac35dd2cf688e47b7f5087f13791bbdac43ae84a0a10191c74fc0
SSDEEP:	6144:0sfrsfhibr/SguQAsJ1/y3UN8Xu8D5N1QSrziG0eXm7:lsfSSgUKNSvQWhm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5[............................^.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General
Entrypoint:	0x44c35e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B35B48C [Fri Jun 29 04:24:44 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4c304	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x1000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4a364	0x4a400	False	0.740122579966	data	7.38254453232	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x1000	0x1000	False	0.0751953125	data	0.65431333765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x4e058	0x234	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	bnm.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	bnm.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 13, 2019 16:37:49.322345972 CET	51176	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:37:49.355587959 CET	53	51176	8.8.8.8	192.168.1.16
Feb 13, 2019 16:38:09.438657045 CET	49810	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:10.432919979 CET	49810	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:10.446954012 CET	53	49810	8.8.8.8	192.168.1.16
Feb 13, 2019 16:38:33.994622946 CET	55151	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:34.033061028 CET	53	55151	8.8.8.8	192.168.1.16
Feb 13, 2019 16:38:36.260667086 CET	53216	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:37.245091915 CET	53216	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:37.257396936 CET	53	53216	8.8.8.8	192.168.1.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 13, 2019 16:37:49.322345972 CET	51176	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:37:49.355587959 CET	53	51176	8.8.8.8	192.168.1.16
Feb 13, 2019 16:38:09.438657045 CET	49810	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:10.432919979 CET	49810	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:10.446954012 CET	53	49810	8.8.8.8	192.168.1.16
Feb 13, 2019 16:38:33.994622946 CET	55151	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:34.033061028 CET	53	55151	8.8.8.8	192.168.1.16
Feb 13, 2019 16:38:36.260667086 CET	53216	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:37.245091915 CET	53216	53	192.168.1.16	8.8.8.8
Feb 13, 2019 16:38:37.257396936 CET	53	53216	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 13, 2019 16:37:49.322345972 CET	192.168.1.16	8.8.8.8	0x42ce	Standard query (0)	www.evcvnymlarked.review	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:09.438657045 CET	192.168.1.16	8.8.8.8	0x8828	Standard query (0)	www.wendihutagaol.com	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:10.432919979 CET	192.168.1.16	8.8.8.8	0x8828	Standard query (0)	www.wendihutagaol.com	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:33.994622946 CET	192.168.1.16	8.8.8.8	0xa314	Standard query (0)	www.specialedtutors.com	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:36.260667086 CET	192.168.1.16	8.8.8.8	0x5279	Standard query (0)	www.specialedtutors.com	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:37.245091915 CET	192.168.1.16	8.8.8.8	0x5279	Standard query (0)	www.specialedtutors.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 13, 2019 16:37:49.355587959 CET	8.8.8.8	192.168.1.16	0x42ce	Name error (3)	www.evcvnymlarked.review	none	none	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:10.446954012 CET	8.8.8.8	192.168.1.16	0x8828	No error (0)	www.wendihutagaol.com	ghs.google.com		CNAME (Canonical name)	IN (0x0001)
Feb 13, 2019 16:38:34.033061028 CET	8.8.8.8	192.168.1.16	0xa314	Name error (3)	www.specialedtutors.com	none	none	A (IP address)	IN (0x0001)
Feb 13, 2019 16:38:37.257396936 CET	8.8.8.8	192.168.1.16	0x5279	Name error (3)	www.specialedtutors.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: image.exe PID: 2528 Parent PID: 1792

General

Start time:	16:37:07
Start date:	13/02/2019
Path:	C:\Users\user\Desktop\image.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\image.exe'
Imagebase:	0x1350000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 896 Parent PID: 2528

General

Start time:	16:37:09
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a2a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 396 Parent PID: 896

General

Start time:	16:37:09
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0x1240000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira, Browse Detection: 57%, metadefender, Browse
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2860 Parent PID: 396

General

Start time:	16:37:11
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a2d0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 1908 Parent PID: 2860

General

Start time:	16:37:11
Start date:	13/02/2019
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Imagebase:	0xfd0000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 2268 Parent PID: 396

General

Start time:	16:37:11
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0x1240000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3768 Parent PID: 2268

General

Start time:	16:37:13
Start date:	13/02/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x560000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 1868 Parent PID: 3768

General

Start time:	16:37:18
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0x1240000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2908 Parent PID: 1868

General

Start time:	16:37:20
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a610000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 2932 Parent PID: 2908

General

Start time:	16:37:20
Start date:	13/02/2019
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Imagebase:	0x6a0000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 4016 Parent PID: 1868

General

Start time:	16:37:21
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0x1240000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: msg.exe PID: 4064 Parent PID: 3768

General

Start time:	16:37:29
Start date:	13/02/2019
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\msg.exe
Imagebase:	0x9c0000
File size:	24576 bytes
MD5 hash:	835982D4DB80A9CC114E34E34E90E2A0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1900 Parent PID: 3768

General

Start time:	16:37:31
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\cmd.exe' /c type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt \| cmd
Imagebase:	0x49d20000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2960 Parent PID: 1900

General

Start time:	16:37:31
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' type C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt '
Imagebase:	0x49d20000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3956 Parent PID: 1900

General

Start time:	16:37:31
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x49d20000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 2852 Parent PID: 3956

General

Start time:	16:37:31
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Imagebase:	0x1240000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1992 Parent PID: 2852

General

Start time:	16:37:34
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a550000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 1884 Parent PID: 1992

General

Start time:	16:37:34
Start date:	13/02/2019
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Imagebase:	0xa00000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmmon32.exe PID: 2360 Parent PID: 3768

General

Start time:	16:37:34
Start date:	13/02/2019
Path:	C:\Windows\System32\cmmon32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmmon32.exe
Imagebase:	0xef0000
File size:	43008 bytes
MD5 hash:	EA7BAAB0792C846DE451001FAE0FBD5F
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3004 Parent PID: 4064

General

Start time:	16:37:35
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c del 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0x4a550000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 1264 Parent PID: 2852

General

Start time:	16:37:40
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0x1240000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: raserver.exe PID: 2964 Parent PID: 3768

General

Start time:	16:37:42
Start date:	13/02/2019
Path:	C:\Windows\System32\raserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\raserver.exe
Imagebase:	0xc70000
File size:	101888 bytes
MD5 hash:	0842FB9AC27460E2B0107F6B3A872FD5
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: certmgrqrj8dx.exe PID: 1800 Parent PID: 3768

General

Start time:	16:38:34
Start date:	13/02/2019
Path:	C:\Program Files\Mdxylb\certmgrqrj8dx.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Mdxylb\certmgrqrj8dx.exe
Imagebase:	0x1160000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira, Browse Detection: 100%, Avira, Browse Detection: 73%, virustotal, Browse Detection: 57%, metadefender, Browse
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1876 Parent PID: 1800

General

Start time:	16:38:36
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a4b0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bnmoc.exe PID: 2920 Parent PID: 1876

General

Start time:	16:38:36
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0xa0000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 1360 Parent PID: 2920

General

Start time:	16:38:41
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a400000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 2496 Parent PID: 1360

General

Start time:	16:38:41
Start date:	13/02/2019
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'bnmocxzasa' /d 'cmd /c type 'C:\Users\user\AppData\Local\Temp\bnmocxzasa.txt' \| cmd'
Imagebase:	0xbb0000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: firefox.exe PID: 524 Parent PID: 4064

General

Start time:	16:38:42
Start date:	13/02/2019
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Mozilla Firefox\Firefox.exe
Imagebase:	0x9a0000
File size:	392872 bytes
MD5 hash:	7F0E061F5B6F311013968503D4C1D052
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: bnmoc.exe PID: 3144 Parent PID: 2920

General

Start time:	16:38:43
Start date:	13/02/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmoc.exe'
Imagebase:	0xa0000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: msdt.exe PID: 3444 Parent PID: 3768

General

Start time:	16:38:45
Start date:	13/02/2019
Path:	C:\Windows\System32\msdt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\msdt.exe
Imagebase:	0xb30000
File size:	983040 bytes
MD5 hash:	F67A64C46DE10425045AF682802F5BA6
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: certmgrqrj8dx.exe PID: 2352 Parent PID: 3768

General

Start time:	16:38:52
Start date:	13/02/2019
Path:	C:\Program Files\Mdxylb\certmgrqrj8dx.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Mdxylb\certmgrqrj8dx.exe'
Imagebase:	0x11c0000
File size:	309760 bytes
MD5 hash:	287782734F94678617B7028B029320AB
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cmd.exe PID: 3416 Parent PID: 2352

General

Start time:	16:38:54
Start date:	13/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x4a580000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report image.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage