Windows Analysis Report
SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe

Overview

General Information

Sample name: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Analysis ID: 1428838
MD5: b59e497bc48faee481fe3a7fe2fcd9be
SHA1: 7828ea379213ee691b879ffcb170b8077a50be34
SHA256: 8c2a4618805be59f901786631cb761c1be63389efc6eb1fab198a5dc6c8edb4a
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe ReversingLabs: Detection: 18%
Uses 32bit PE files
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\GitHub\creamsoda\TequilaPC\obj\x86\Release\CreamSoda.pdb source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /manifest.xml HTTP/1.1Host: thunderspy.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Code function: 0_2_04BB620E WSARecv, 0_2_04BB620E
Source: global traffic HTTP traffic detected: GET /manifest.xml HTTP/1.1Host: thunderspy.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: thunderspy.com
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2894439917.0000000002999000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://thunderspy.com
Source: CreamSodaActivityLog.txt.0.dr String found in binary or memory: http://thunderspy.com/manifest.xml
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2894439917.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://thunderspy.com/manifest.xmlL.)lX
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2895815253.0000000005E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Code function: 0_2_04BB2052 NtQuerySystemInformation, 0_2_04BB2052
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Code function: 0_2_04BB2018 NtQuerySystemInformation, 0_2_04BB2018
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Code function: 0_2_00AB18D7 0_2_00AB18D7
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2893399252.00000000003BC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Xml.Linq.dllT vs SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2894439917.00000000028E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCreamSoda.exe4 vs SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2894439917.00000000028E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2894439917.00000000028E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -)lU,\\StringFileInfo\\000004B0\\OriginalFilenameL.)l vs SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000000.1642732324.00000000001C2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCreamSoda.exe4 vs SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Binary or memory string: OriginalFilenameCreamSoda.exe4 vs SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Searches for the Microsoft Outlook file path
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Code function: 0_2_04BB1F82 AdjustTokenPrivileges, 0_2_04BB1F82
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Code function: 0_2_04BB1F4B AdjustTokenPrivileges, 0_2_04BB1F4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe File created: C:\Users\user\Desktop\CreamSodaActivityLog.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: playtodevice.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: devdispitemprovider.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: portabledeviceapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: audiodev.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wmvcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: wmasf.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mfperfhelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\GitHub\creamsoda\TequilaPC\obj\x86\Release\CreamSoda.pdb source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Memory allocated: AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Memory allocated: 28E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Memory allocated: D30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Memory allocated: 6530000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Window / User API: threadDelayed 377 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe TID: 6892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe TID: 908 Thread sleep time: -188500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe TID: 6892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe, 00000000.00000002.2896884000.00000000086A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/>
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428838 Sample: SecuriteInfo.com.W32.ABRisk... Startdate: 19/04/2024 Architecture: WINDOWS Score: 48 9 thunderspy.com 2->9 13 Multi AV Scanner detection for submitted file 2->13 6 SecuriteInfo.com.W32.ABRisk.NVJI-4581.31168.9649.exe 18 27 2->6         started        signatures3 process4 dnsIp5 11 thunderspy.com 172.67.213.82, 49735, 80 CLOUDFLARENETUS United States 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.213.82
 thunderspy.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
thunderspy.com 172.67.213.82 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://thunderspy.com/manifest.xml false
    		unknown