Windows Analysis Report
XMLSAT++.exe

Overview

General Information

Sample name: XMLSAT++.exe
Analysis ID: 1428358
MD5: 871758a2ed01cd34e3db8449c9f830d5
SHA1: 083b1d6e622022ebda5200a62c39cf7061178419
SHA256: 8dc574c5ad0a26d4b25f3ec405ae14bf2e4c99b1dff8bc07b3db99e2db896a19
Infos:

Detection

PureLog Stealer, RedLine
Score: 51
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Uses Windows timers to delay execution
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Uses 32bit PE files
Source: XMLSAT++.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: XMLSAT++.exe Static PE information: certificate valid
Source: XMLSAT++.exe, 00000000.00000003.1245589383.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245696954.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/
Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/bJ
Source: XMLSAT++.exe, 00000000.00000003.1257557384.0000000003BED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/n
Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como.jp/
Source: XMLSAT++.exe, 00000000.00000003.1245238958.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244832478.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245339469.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244940337.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244675614.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: XMLSAT++.exe, 00000000.00000003.1245238958.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244832478.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1245339469.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244940337.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1244675614.000000000C4B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comF8
Source: XMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: XMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnar
Source: XMLSAT++.exe, 00000000.00000003.1249703416.000000000C491000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnion
Source: XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-de
Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/:J
Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/TJ
Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
Source: XMLSAT++.exe, 00000000.00000003.1252032890.000000000C483000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/bJ
Source: XMLSAT++.exe, 00000000.00000003.1252032890.000000000C483000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1252731716.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/in
Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/bJ
Source: XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/kJ
Source: XMLSAT++.exe, 00000000.00000003.1253968334.000000000C485000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1253112876.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255523610.000000000C48A000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1255180385.000000000C489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/l-gOJ
Source: XMLSAT++.exe, 00000000.00000003.1263717219.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263369312.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263259643.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264307838.000000000C4BA000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264130566.000000000C4BA000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263458483.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264410365.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263782385.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263068295.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263548162.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1264011528.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263649120.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263135323.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263927429.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp, XMLSAT++.exe, 00000000.00000003.1263862484.000000000C4BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios/AuxiliarFolios_1
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/AuxiliarFolios/AuxiliarFolios_1_3.xsd
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_3.xsd
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/BalanzaComprobacion/BalanzaComprobacion_1_3.xsd0
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_3.xsd
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sat.gob.mx/esquemas/ContabilidadE/1_3/CatalogoCuentas/CatalogoCuentas_1_3.xsd0
Source: XMLSAT++.exe, 00000000.00000003.1245818384.000000000C48E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.typography.net
Source: XMLSAT++.exe, 00000000.00000003.1245818384.000000000C48E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netu
Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: XMLSAT++.exe, 00000000.00000003.1251281080.000000000C493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnr-c
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api2
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api2/api/createTicket.php
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api2/register.php
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api2/register.php4
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api2/validate.php?uuid=
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api2/validate.php?uuid=4
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://licencias.construapps.com/api24

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: XMLSAT++.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03C79E78 0_2_03C79E78
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03C7118D 0_2_03C7118D
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03C711A8 0_2_03C711A8
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DC0040 0_2_03DC0040
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DC2420 0_2_03DC2420
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DC2978 0_2_03DC2978
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DD3FEC 0_2_03DD3FEC
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DD5B42 0_2_03DD5B42
Sample file is different than original file name gathered from version info
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorlib.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $bq,\\StringFileInfo\\040904B0\\OriginalFilename vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Core.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Xml.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesystem.data.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorlib.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $bq,\\StringFileInfo\\040904B0\\OriginalFilename vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Core.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Xml.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesystem.data.dllT vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $bq,\\StringFileInfo\\040904B0\\OriginalFilename@f vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000003.1186890945.000000000202B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs XMLSAT++.exe
Source: XMLSAT++.exe, 00000000.00000003.1186890945.000000000202B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempclient.dllj% vs XMLSAT++.exe
Uses 32bit PE files
Source: XMLSAT++.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: XMLSAT++.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: classification engine Classification label: mal51.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\XMLSAT++.exe File created: C:\Users\user\Desktop\dbDATOS33.db Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Mutant created: NULL
Source: XMLSAT++.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XMLSAT++.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENPAGOS10v2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRENOMBRADO40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENREPORTE33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table XML (`id`INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,`uuid` TEXT Not NULL, carpeta1 TEXT Not NULL,`carpeta2` TEXT Not NULL,`integridad` TEXT Not NULL);
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS42 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));@f
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS32 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENXMLMULTIRFC (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));L
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRENOMBRADO (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENPAGOS204 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENREPORTE40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRENOMBRADO_33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENPDFSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));@f
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRENOMBRADO_33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));@f
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENNOMINA12FOLDER (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENPAGOS10v2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bqF
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRESUMEN (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRESUMEN (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRENOMBRADO (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS33VOLUMENES2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENXMLSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOSGLOBAL (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS33_E (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table XML (`id`INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,`uuid` TEXT Not NULL, carpeta1 TEXT Not NULL,`carpeta2` TEXT Not NULL,`integridad` TEXT Not NULL);0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS32 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENXMLSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENRENOMBRADO40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS42 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS33_E (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENPAGOS204 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENREPORTE40 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));3@f
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENXMLMULTIRFC (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENPDFSELENIUM (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENXMLMULTIRFC (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.0000000008B22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENNOMINA12FOLDER (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, `estado` INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));0\bq
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOSGLOBAL (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`)); @f
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENDATOS33VOLUMENES2 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: XMLSAT++.exe, 00000000.00000002.2607978829.00000000087B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: create table ORDENREPORTE33 (`id`INTEGER Not NULL,`nombre` TEXT Not NULL, estado INTEGER Not NULL,`orden` INTEGER Not NULL,PRIMARY KEY(`id`));
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\XMLSAT++.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: XMLSAT++.exe Static PE information: certificate valid
Source: XMLSAT++.exe Static file information: File size 27361688 > 1048576
Source: XMLSAT++.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x19f3400
Source: XMLSAT++.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DC41D7 push esi; iretd 0_2_03DC41E0
Source: C:\Users\user\Desktop\XMLSAT++.exe Code function: 0_2_03DDD797 push eax; mov dword ptr [esp], ecx 0_2_03DDD7AC
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\XMLSAT++.exe User Timer Set: Timeout: 100ms Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 3C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 87B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 3DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: D9B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 109B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 13870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: B3E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: E0C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: F0C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 194E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 100C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 1A4E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 1C4E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: 1F4E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\XMLSAT++.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\XMLSAT++.exe TID: 2956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\XMLSAT++.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: XMLSAT++.exe, 00000000.00000003.1241066389.000000000206E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfs
Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n8AfcyPAfS5VU1iqeMu6
Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TuP2g5QEMUSsokfDULDs
Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qoxqEMUB5QDevPaQaBUl
Source: XMLSAT++.exe, 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cG54pLHGFSi6oO8N3gY3
Enables debug privileges
Source: C:\Users\user\Desktop\XMLSAT++.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\XMLSAT++.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XMLSAT++.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: XMLSAT++.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 00000000.00000002.2455400705.0000000007014000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: XMLSAT++.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428358 Sample: XMLSAT++.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 51 8 Malicious sample detected (through community Yara rule) 2->8 10 Yara detected PureLog Stealer 2->10 12 Yara detected RedLine Stealer 2->12 5 XMLSAT++.exe 3 2->5         started        process3 signatures4 14 Uses Windows timers to delay execution 5->14
No contacted IP infos