Information Discovery
Reads data out of its own binary image Show sources
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7.exe, pid: 2296, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7.exe, pid: 2296, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7.exe, pid: 2296, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7.exe, pid: 2296, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202.exe, pid: 2404, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202.exe, pid: 2404, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202.exe, pid: 2404, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202.exe, pid: 2404, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202a.exe, pid: 2484, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202a.exe, pid: 2484, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202a.exe, pid: 2484, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202a.exe, pid: 2484, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202b.exe, pid: 2568, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202b.exe, pid: 2568, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202b.exe, pid: 2568, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202b.exe, pid: 2568, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202c.exe, pid: 2644, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202c.exe, pid: 2644, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202c.exe, pid: 2644, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202c.exe, pid: 2644, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202d.exe, pid: 2720, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202d.exe, pid: 2720, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202d.exe, pid: 2720, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202d.exe, pid: 2720, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202e.exe, pid: 2796, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202e.exe, pid: 2796, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202e.exe, pid: 2796, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202e.exe, pid: 2796, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202f.exe, pid: 2872, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202f.exe, pid: 2872, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202f.exe, pid: 2872, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202f.exe, pid: 2872, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202g.exe, pid: 2948, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202g.exe, pid: 2948, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202g.exe, pid: 2948, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202g.exe, pid: 2948, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202h.exe, pid: 3024, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202h.exe, pid: 3024, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202h.exe, pid: 3024, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202h.exe, pid: 3024, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202i.exe, pid: 2152, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202i.exe, pid: 2152, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202i.exe, pid: 2152, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202i.exe, pid: 2152, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202j.exe, pid: 1660, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202j.exe, pid: 1660, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202j.exe, pid: 1660, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202j.exe, pid: 1660, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202k.exe, pid: 2280, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202k.exe, pid: 2280, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202k.exe, pid: 2280, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202k.exe, pid: 2280, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202l.exe, pid: 2460, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202l.exe, pid: 2460, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202l.exe, pid: 2460, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202l.exe, pid: 2460, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202m.exe, pid: 2452, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202m.exe, pid: 2452, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202m.exe, pid: 2452, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202m.exe, pid: 2452, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202n.exe, pid: 2344, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202n.exe, pid: 2344, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202n.exe, pid: 2344, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202n.exe, pid: 2344, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202o.exe, pid: 2708, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202o.exe, pid: 2708, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202o.exe, pid: 2708, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202o.exe, pid: 2708, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202p.exe, pid: 2816, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202p.exe, pid: 2816, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202p.exe, pid: 2816, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202p.exe, pid: 2816, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202q.exe, pid: 2900, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202q.exe, pid: 2900, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202q.exe, pid: 2900, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202q.exe, pid: 2900, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202r.exe, pid: 2920, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202r.exe, pid: 2920, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202r.exe, pid: 2920, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202r.exe, pid: 2920, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202s.exe, pid: 3000, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202s.exe, pid: 3000, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202s.exe, pid: 3000, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202s.exe, pid: 3000, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202t.exe, pid: 264, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202t.exe, pid: 264, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202t.exe, pid: 264, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202t.exe, pid: 264, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202u.exe, pid: 1196, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202u.exe, pid: 1196, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202u.exe, pid: 1196, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202u.exe, pid: 1196, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202v.exe, pid: 2472, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202v.exe, pid: 2472, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202v.exe, pid: 2472, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202v.exe, pid: 2472, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202w.exe, pid: 2508, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202w.exe, pid: 2508, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202w.exe, pid: 2508, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202w.exe, pid: 2508, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202x.exe, pid: 2672, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202x.exe, pid: 2672, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202x.exe, pid: 2672, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202x.exe, pid: 2672, offset: 0x00040b04, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202y.exe, pid: 2780, offset: 0x00031000, length: 0x00000010 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202y.exe, pid: 2780, offset: 0x0003cb2c, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202y.exe, pid: 2780, offset: 0x0003eb18, length: 0x00002000 |
| api_process_name | process: 0537f9741eaeb183d6e0e96719fb8f86912615f7_3202y.exe, pid: 2780, offset: 0x00040b04, length: 0x00002000 |
Packer
The executable is compressed using UPX Show sources
| packer_section | name: UPX0, entropy: 6.46, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00022000, virtual_size: 0x00022000 |
Hooking and other Techniques for Hiding Protection
Likely virus infection of existing system binary Show sources
| file | c:\users\user\appdata\local\temp\0537f9741eaeb183d6e0e96719fb8f86912615f7.exe |
Data Obfuscation
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202d.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202v.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202c.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202i.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202p.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202q.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202s.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202n.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202o.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202e.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202w.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202f.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202a.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202l.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202m.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202h.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202t.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202g.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202b.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202x.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202j.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202y.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202r.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202k.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202u.exe |
Persistence and Installation Behavior
Installs itself for autorun at Windows startup Show sources
| registry_write | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler |
| data | "c:\users\user\appdata\local\temp\0537f9741eaeb183d6e0e96719fb8f86912615f7_3202y.exe" |
Malware Analysis System Evasion
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | 0537f9741eaeb183d6e0e96719fb8f86912615f7.exe, PID 2296 |