|
|
4/5
|
Injection
|
Writes into the memory of another running process
|
-
|
|
|
-
"c:\users\ciihmnxmn6ps\desktop\urkotu.exe" modifies memory of "c:\windows\syswow64\explorer.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\windows portable devices\uni.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\internet explorer\ten.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\windows multimedia platform\gp-blank.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\common files\engagement cologne.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\cambridge.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\msbuild\amateur-dishes.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\reference assemblies\science old.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\windowspowershell\handling investing experimental.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\internet explorer\pdf_incoming_tracked.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\common files\rangestremendous.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\common files\uncertainty_furnishings_tramadol.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\windows sidebar\batteries_dirty.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\windows portable devices\disorder.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\mozilla maintenance service\solo.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\java\likes skiing.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\windows sidebar\touringcontinuedrussia.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\common files\matching.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files\uninstall information\readingsunto.exe"
|
|
|
-
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\program files (x86)\microsoft.net\colininstallations.exe"
|
|
|
3/5
|
Anti Analysis
|
Tries to evade debugger
|
-
|
|
|
-
Hides Thread via API "NtSetInformationThread".
|
|
|
3/5
|
Anti Analysis
|
Tries to detect application sandbox
|
-
|
|
|
-
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_version".
|
|
|
-
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_unix_file_name".
|
|
|
3/5
|
OS
|
Modifies system configuration
|
-
|
|
|
-
Sets "plybkq.exe" as debugger for the application "rstrui.exe".
|
|
|
3/5
|
Browser
|
Changes security-related browser settings
|
-
|
|
|
-
Changes settings for the Security Zone "local internet".
|
|
|
-
Changes settings for the Security Zone "trustworthy sites".
|
|
|
-
Changes settings for the Security Zone "internet".
|
|
|
-
Changes settings for the Security Zone "restricted sites".
|
|
|
3/5
|
Anti Analysis
|
Tries to detect the presence of antivirus software
|
-
|
|
|
-
Possibly trying to detect "Symantec" via registry.
|
|
|
3/5
|
Anti Analysis
|
Makes unaligned API calls to possibly evade hooking based sandboxes
|
-
|
|
|
-
Makes an unaligned function call "LdrGetProcedureAddress" with offset 0x2.
|
|
|
-
Makes an unaligned function call "GetModuleHandleA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegCreateKeyExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegCloseKey" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetModuleHandleW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "OpenProcessToken" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetModuleFileNameW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetSystemDirectoryW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetVersionExA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetProcAddress" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegOpenKeyExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RtlAdjustPrivilege" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegQueryValueExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetKeyboardLayout" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegQueryValueExA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetWindowsDirectoryW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetTopWindow" with offset 0x5.
|
|
|
-
Makes an unaligned function call "CreateFileMappingW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "MapViewOfFile" with offset 0x5.
|
|
|
-
Makes an unaligned function call "UnmapViewOfFile" with offset 0x5.
|
|
|
-
Makes an unaligned function call "LoadLibraryA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegEnumValueW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegQueryInfoKeyA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegEnumKeyExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegQueryInfoKeyW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "MoveFileExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegSetValueExA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "SetEnvironmentVariableA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "CreateProcessW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetProcessId" with offset 0x5.
|
|
|
-
Makes an unaligned function call "VirtualQueryEx" with offset 0x5.
|
|
|
-
Makes an unaligned function call "ReadProcessMemory" with offset 0x5.
|
|
|
-
Makes an unaligned function call "OpenSCManagerW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "OpenServiceW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "QueryServiceStatus" with offset 0x5.
|
|
|
-
Makes an unaligned function call "ChangeServiceConfigW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegSetValueExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegEnumKeyExA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetWindowsDirectoryA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegOpenKeyExA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "RegDeleteKeyA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "CreateWindowExA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "EnumWindows" with offset 0x5.
|
|
|
-
Makes an unaligned function call "SetWindowLongA" with offset 0x5.
|
|
|
-
Makes an unaligned function call "GetComputerNameExW" with offset 0x5.
|
|
|
-
Makes an unaligned function call "getaddrinfo" with offset 0x5.
|
|
|
2/5
|
Anti Analysis
|
Tries to detect debugger
|
-
|
|
|
-
Check via API "IsDebuggerPresent".
|
|
|
-
Check via API "NtQueryInformationProcess".
|
|
|
2/5
|
Anti Analysis
|
Tries to detect virtual machine
|
-
|
|
|
-
Reads out system information, commonly used to detect VMs via registry. (Value "SystemManufacturer" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS").
|
|
|
-
Reads out system information, commonly used to detect VMs via registry. (Value "SystemBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System").
|
|
|
-
Possibly trying to detect VirtualBox via file "vboxvideo.sys".
|
|
|
-
Possibly trying to detect VirtualBox via file "vboxguest.sys".
|
|
|
-
Possibly trying to detect VMware via file "c:\windows\system32\drivers\vmhgfs.sys".
|
|
|
-
Possibly trying to detect VMware via registry "HKEY_CURRENT_USER\Software\VMware, Inc.".
|
|
|
2/5
|
Anti Analysis
|
Makes direct system call to possibly evade hooking based sandboxes
|
-
|
|
|
-
Makes a direct system call to "NtProtectVirtualMemory".
|
|
|
-
Makes a direct system call to "NtOpenProcess".
|
|
|
-
Makes a direct system call to "NtSetValueKey".
|
|
|
-
Makes a direct system call to "NtMapViewOfSection".
|
|
|
-
Makes a direct system call to "NtUnmapViewOfSection".
|
|
|
-
Makes a direct system call to "NtGetContextThread".
|
|
|
-
Makes a direct system call to "NtResumeThread".
|
|
|
-
Makes a direct system call to "NtOpenThread".
|
|
|
-
Makes a direct system call to "NtWriteVirtualMemory".
|
|
|
-
Makes a direct system call to "NtReadVirtualMemory".
|
|
|
2/5
|
File System
|
Known suspicious file
|
Trojan
|
|
|
-
File "C:\Users\CIiHmnxMn6Ps\Desktop\urkotu.exe" is a known suspicious file.
|
|
|
2/5
|
Injection
|
Writes into the memory of a process running from a created or modified executable
|
-
|
|
|
-
"c:\users\ciihmnxmn6ps\desktop\urkotu.exe" modifies memory of "c:\users\ciihmnxmn6ps\desktop\urkotu.exe"
|
|
|
2/5
|
Injection
|
Modifies control flow of a process running from a created or modified executable
|
-
|
|
|
-
"c:\users\ciihmnxmn6ps\desktop\urkotu.exe" alters context of "c:\users\ciihmnxmn6ps\desktop\urkotu.exe"
|
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
|
-
Creates mutex with name "{ergvvsvfxlybedyahvxbrbqcraka}".
|
|
|
1/5
|
Anti Analysis
|
Resolves APIs dynamically
|
-
|
|
|
-
Resolves an unusually high number of APIs.
|
|
|
1/5
|
Process
|
Creates process with hidden window
|
-
|
|
|
-
The process "C:\Users\CIiHmnxMn6Ps\Desktop\urkotu.exe" starts with hidden window.
|
|
|
-
The process "C:\Windows\SysWOW64\explorer.exe" starts with hidden window.
|
|
|
1/5
|
Process
|
Reads from memory of another process
|
-
|
|
|
-
"c:\users\ciihmnxmn6ps\desktop\urkotu.exe" reads from "C:\Users\CIiHmnxMn6Ps\Desktop\urkotu.exe".
|
|
|
-
"c:\users\ciihmnxmn6ps\desktop\urkotu.exe" reads from "C:\Windows\SysWOW64\explorer.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\windows portable devices\uni.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\internet explorer\ten.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\windows multimedia platform\gp-blank.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\common files\engagement cologne.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\internet explorer\cambridge.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\msbuild\amateur-dishes.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\reference assemblies\science old.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\windowspowershell\handling investing experimental.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\internet explorer\pdf_incoming_tracked.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\common files\rangestremendous.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\common files\uncertainty_furnishings_tramadol.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\windows sidebar\batteries_dirty.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\windows portable devices\disorder.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\mozilla maintenance service\solo.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\java\likes skiing.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\windows sidebar\touringcontinuedrussia.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\common files\matching.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files\uninstall information\readingsunto.exe".
|
|
|
-
"c:\windows\syswow64\explorer.exe" reads from "c:\program files (x86)\microsoft.net\colininstallations.exe".
|
|
|
1/5
|
Process
|
Creates a page with write and execute permissions
|
-
|
|
|
-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
|
|
|
1/5
|
Persistence
|
Installs system startup script or application
|
-
|
|
|
-
Adds "c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\windows\start menu\programs\startup" to Windows startup folder.
|
|
|
-
Adds "c:\programdata\microsoft\windows\start menu\programs\startup" to Windows startup folder.
|
|
|
-
Adds "C:\ProgramData\Task Protect 2.3\ws97995e1qms.exe" to Windows startup via registry.
|
|
|
-
Adds ""C:\ProgramData\Task Protect 2.3\ws97995e1qms.exe"" to Windows startup via registry.
|
|
|
1/5
|
OS
|
Modifies Windows Firewall configuration
|
-
|
|
|
-
Disables the Windows Firewall by registry.
|
|
|
1/5
|
Network
|
Performs DNS request
|
-
|
|
|
-
Resolves host name "google.com".
|
|
|
1/5
|
Process
|
Overwrites code
|
-
|
|
|
-
Overwrites code to possibly hide behavior.
|
|
|
1/5
|
Static
|
Unparsable sections in file
|
-
|
|
|
-
Static analyzer was unable to completely parse the analyzed file: C:\Users\CIiHmnxMn6Ps\Desktop\urkotu.exe.
|
