Xcitium Cloud Verdict

File Name: virussign.com_754ab92ada89fdd88a100e5dd854dcb0.exe

File Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed

SHA1: f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b

MD5: 754ab92ada89fdd88a100e5dd854dcb0

Download Kill Chain Report

Accessed Files

C:\Users\user\AppData\Local\Temp\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.ENU
C:\Users\user\AppData\Local\Temp\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.ENU.DLL
C:\Users\user\AppData\Local\Temp\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.EN
C:\Users\user\AppData\Local\Temp\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.EN.DLL
C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\System32\Help\upbiran.ini
- C:\Windows\System32\Help
- C:\Windows\System32
- C:\Windows\System32\Help\1.jmoruvx
- C:\Windows\System32\Help\2.jmoruvx
- F:
- C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc\m.ini
- C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc
- C:\Windows\System32\jmoruvx\jmoruvx
- C:\Windows\System32\jmoruvx
- C:\Windows\System32\spool\DRIVERS\W32X86\3\moruvxjdel.bat
- C:\Windows\System32\spool\DRIVERS\W32X86\3\moruvxj\moruvxj.exe
- C:\Users\user\AppData\Local\Temp\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.exe
- C:\Windows\Help\jmoruvx.hlp
- C:\Windows\System32\spool\DRIVERS\W32X86\3\moruvxj
- C:\Windows\System32\spool\DRIVERS\W32X86\3
- C:\Windows\System32\spool\DRIVERS\W32X86
- C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc\pqqrstu.exe
- C:\Windows\2.ini
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj
- D:\RECYCLER\S-1-5-18\Dc8
- D:\RECYCLER\S-1-5-18
- D:\RECYCLER
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj000.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj001.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj002.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj003.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj004.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj005.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj006.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj007.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj008.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj009.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj010.IMD
- C:\Users\user\AppData\Local\Temp\NULL
- C:\Windows\
- C:\Windows\moruvxj0.ini
- C:\Windows\moruvxj1.ini
- C:\Windows\moruvxj3.ini
- C:\Windows\moruvxj4.ini
- C:\Windows\moruvxj5.ini
- C:\Windows\SysWOW64\jmoruvx\jmoruvx\xyyabcc\pqqrstu.ENU
- C:\Windows\SysWOW64\jmoruvx\jmoruvx\xyyabcc\pqqrstu.ENU.DLL
- C:\Windows\SysWOW64\jmoruvx\jmoruvx\xyyabcc\pqqrstu.EN
- C:\Windows\SysWOW64\jmoruvx\jmoruvx\xyyabcc\pqqrstu.EN.DLL
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj011.IMD
Show More 47

Read Registry Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\Common Startup
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
Show More 21

Modified Files

C:\Windows\System32\Help\upbiran.ini
C:\Windows\System32\Help\1.jmoruvx
C:\Windows\System32\Help\2.jmoruvx
C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc\m.ini
C:\Windows\Help\jmoruvx.hlp
- C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc\pqqrstu.exe
- C:\Windows\System32\spool\DRIVERS\W32X86\3\moruvxj\moruvxj.exe
- C:\Windows\2.ini
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj000.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj001.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj002.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj003.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj004.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj005.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj006.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj007.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj008.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj009.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj010.IMD
- C:\Windows\
Show More 15

Resolved APIs

kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
- oleaut32.dll.VarSub
- oleaut32.dll.VarMul
- oleaut32.dll.VarDiv
- oleaut32.dll.VarIdiv
- oleaut32.dll.VarMod
- oleaut32.dll.VarAnd
- oleaut32.dll.VarOr
- oleaut32.dll.VarXor
- oleaut32.dll.VarCmp
- oleaut32.dll.VarI4FromStr
- oleaut32.dll.VarR4FromStr
- oleaut32.dll.VarR8FromStr
- oleaut32.dll.VarDateFromStr
- oleaut32.dll.VarCyFromStr
- oleaut32.dll.VarBoolFromStr
- oleaut32.dll.VarBstrFromCy
- oleaut32.dll.VarBstrFromDate
- oleaut32.dll.VarBstrFromBool
- kernel32.dll.VirtualAllocEx
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- gdi32.dll.GetFontAssocStatus
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Heap32ListFirst
- kernel32.dll.Heap32ListNext
- kernel32.dll.Heap32First
- kernel32.dll.Heap32Next
- kernel32.dll.Toolhelp32ReadProcessMemory
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- kernel32.dll.Process32FirstW
- kernel32.dll.Process32NextW
- kernel32.dll.Thread32First
- kernel32.dll.Thread32Next
- kernel32.dll.Module32First
- kernel32.dll.Module32Next
- kernel32.dll.Module32FirstW
- kernel32.dll.Module32NextW
Show More 56

Registry Keys

HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\Common Startup
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\pqqrstu.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
Show More 40

Executed Commands

C:\Windows\system32\jmoruvx\jmoruvx\xyyabcc\pqqrstu.exe -close
svchost.exe -NetworkService

Read Files

C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\System32\Help\upbiran.ini
C:\Windows\System32\Help\1.jmoruvx
C:\Windows\System32\Help\2.jmoruvx
- C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc\m.ini
- C:\Users\user\AppData\Local\Temp\f2c7dbed7119e7c49e43bbc00bcfa56ddd091a2b.exe
- C:\Windows\Help\jmoruvx.hlp
- C:\Windows\System32\jmoruvx\jmoruvx\xyyabcc\pqqrstu.exe
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj000.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj001.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj002.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj003.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj004.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj005.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj006.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj007.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj008.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj009.IMD
- D:\RECYCLER\S-1-5-18\Dc8\moruvxj\moruvxj010.IMD
- C:\Windows\
Show More 16

Mutexes

CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
jmoruvx

Loading...