Windows Analysis Report
AO_RDS01_2024-04-18_16_39_30.221.zip

Overview

General Information

Sample name:	AO_RDS01_2024-04-18_16_39_30.221.zip
Analysis ID:	1428288
MD5:	f827a1fd82ba3c0a6e29b52c846350c4
SHA1:	0cbaa6e35f322eb6cb783b3c78f7c2ba98c727d4
SHA256:	704784b07c98d684e9d8bc49631f333ae54cedd94f2fbbc7ce3506ddc0f6b221
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Drops PE files

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

ReversingLabs: Detection: 54%

Source:

Binary string: C:\Users\user.DESKTOP-3VUNKBC\Downloads\Account\CrackAccount\obj\Debug\test.pdb source: 7zG.exe, 0000000E.00000003.1581912628.0000014075E30000.00000004.00000800.00020000.00000000.sdmp, AccountRestore.exe, 00000011.00000000.1756166927.00000000004E2000.00000002.00000001.01000000.00000008.sdmp, AccountRestore.exe.14.dr

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/View/MainWindow.xamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/View/MainWindow.xamll
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/View/MainWindow.xamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/View/MainWindow.xamll
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/view/mainwindow.baml
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/view/mainwindow.bamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/view/mainwindow.bamll

Detected potential crypto function

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Code function: 17_2_0ABD66F0		17_2_0ABD66F0
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Code function: 17_2_0ABD66E2		17_2_0ABD66E2

Source: manifest.json.14.dr

Binary string: [{"included":true,"path":"\\Device\\HarddiskVolume4\\Users\\jjohnson\\Music\\AccountRestore.exe","reason":"","sha1":"28400c267815762e49c200e8b481a592c67f9cf7","sha256":"e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef","size":29184}]

Source: classification engine

Classification label: mal48.winZIP@3/2@0/0

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221

Jump to behavior

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\" -spe -an -ai#7zMap23008:124:7zEvent13671
Source: unknown	Process created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe "C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221C:\Users\jjohnson\Music\AccountRestore.exe"

Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: adsnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: assignedaccessruntime.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: networkexplorer.dll	Jump to behavior

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Window detected: Number of UI elements: 13

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Drops PE files

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: AccountRestore.exe, 00000011.00000002.2285458013.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:\|
Source: AccountRestore.exe, 00000011.00000002.2285458013.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: AccountRestore.exe, 00000011.00000002.2288141082.000000000AEB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SATA_C

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	5A01695BE573F95DFC0CF73AB6B5234D	28400C267815762E49C200E8B481A592C67F9CF7	E97BDF7FAFB1CB2A2BF0A4E14F51E18A34F3FF2F6F7B99731E93070D50801BEF
C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\manifest.json	JSON data	65D31CAAE0A3287E5BAFB5D49F32A19F	C7984EC3D628BF38A34C86DF7B138B1F060852E0	7E330274CC48E8BEF1D16539FDD6BAFAA52D2C422FC55CCDCDE0B5E349B56083

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

ReversingLabs: Detection: 54%

Source:

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/View/MainWindow.xamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/View/MainWindow.xamll
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/View/MainWindow.xamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/View/MainWindow.xamll
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/view/mainwindow.baml
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/view/mainwindow.bamlP
Source: AccountRestore.exe, 00000011.00000002.2281631957.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/view/mainwindow.bamll

Detected potential crypto function

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Code function: 17_2_0ABD66F0		17_2_0ABD66F0
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Code function: 17_2_0ABD66E2		17_2_0ABD66E2

Source: manifest.json.14.dr

Source: classification engine

Classification label: mal48.winZIP@3/2@0/0

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221

Jump to behavior

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\" -spe -an -ai#7zMap23008:124:7zEvent13671
Source: unknown	Process created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe "C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221C:\Users\jjohnson\Music\AccountRestore.exe"

Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: adsnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: assignedaccessruntime.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Section loaded: networkexplorer.dll	Jump to behavior

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Window detected: Number of UI elements: 13

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Drops PE files

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: AccountRestore.exe, 00000011.00000002.2285458013.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:\|
Source: AccountRestore.exe, 00000011.00000002.2285458013.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: AccountRestore.exe, 00000011.00000002.2288141082.000000000AEB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SATA_C

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\AO_RDS01_2024-04-18_16_39_30.221\Device\HarddiskVolume4\Users\jjohnson\Music\AccountRestore.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH			Jump to behavior

ID:	1428288
Product:	CloudBasic
Start time:	19:13:15
Start date:	18.04.2024
Sample:	AO_RDS01_2024-04-18_16_39_30.221.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f827a1fd82ba3c0a6e29b52c846350c4
SHA1:	0cbaa6e35f322eb6cb783b3c78f7c2ba98c727d4
SHA256:	704784b07c98d684e9d8bc49631f333ae54cedd94f2fbbc7ce3506ddc0f6b221
Filetype:	ZIP compressed archive (8000/1) 100.00%

Windows Analysis Report
AO_RDS01_2024-04-18_16_39_30.221.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report AO_RDS01_2024-04-18_16_39_30.221.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
AO_RDS01_2024-04-18_16_39_30.221.zip