Windows Analysis Report
2M1NS61GG8.exe

Overview

General Information

Sample name: 2M1NS61GG8.exe
renamed because original name is a hash value
Original sample name: c7eea9d0d8f7bf74bd7c25990458bcf8.exe
Analysis ID: 1429054
MD5: c7eea9d0d8f7bf74bd7c25990458bcf8
SHA1: 4a03f78ca6f3df3c692ad31d2bdee7cb58b86c3d
SHA256: 28794b11097d9740a1bfce3e06458bccdccc167ceb75a140b4d031d052528d10
Tags: 32exe
Infos:

Detection

LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2M1NS61GG8.exe Avira: detected
Found malware configuration
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "rocketmusclesksj.shop"], "Build id": "A99MuA--"}
Multi AV Scanner detection for domain / URL
Source: economicscreateojsu.shop Virustotal: Detection: 13% Perma Link
Source: mealplayerpreceodsju.shop Virustotal: Detection: 18% Perma Link
Source: entitlementappwo.shop Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: 2M1NS61GG8.exe ReversingLabs: Detection: 39%
Source: 2M1NS61GG8.exe Virustotal: Detection: 32% Perma Link
Machine Learning detection for sample
Source: 2M1NS61GG8.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: wifeplasterbakewis.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: mealplayerpreceodsju.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: bordersoarmanusjuw.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: suitcaseacanehalk.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: absentconvicsjawun.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: pushjellysingeywus.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: economicscreateojsu.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: entitlementappwo.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: rocketmusclesksj.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: TeslaBrowser/5.5
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: - Screen Resoluton:
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: - Physical Installed Memory:
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: Workgroup: -
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack String decryptor: A99MuA--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00415C49 CryptUnprotectData, 8_2_00415C49
Uses 32bit PE files
Source: 2M1NS61GG8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: unknown HTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: 2M1NS61GG8.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dllO source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 5C3924FCh 8_2_0041504B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0041D030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esp+44h] 8_2_0043703B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0041D3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 8_2_00418533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 8_2_00402A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp dword ptr [eax+edi*8], 5C3924FCh 8_2_00421A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 8_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov byte ptr [ecx], al 8_2_00416ECD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 8_2_00417F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h 8_2_0041B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 8_2_004112B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 904D52BCh 8_2_00417349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 8_2_0040D360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp eax 8_2_00439376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov byte ptr [ecx], al 8_2_00416ECD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esi+5Ch] 8_2_00424461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh 8_2_00417491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h 8_2_00413499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 8_2_00402580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp ebx 8_2_00439603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0041562F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp esi 8_2_0043974A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov byte ptr [ebx], dl 8_2_00425754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov byte ptr [ebx], dl 8_2_0042576E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov word ptr [eax], dx 8_2_0041A8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov edx, dword ptr [esi+70h] 8_2_00417945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then dec esi 8_2_00439902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000080h] 8_2_004099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp ecx 8_2_00439A76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov byte ptr [ecx], al 8_2_00416ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then inc ebx 8_2_00414AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 8_2_00436CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov word ptr [ebx], cx 8_2_00414ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov dword ptr [esi+08h], ecx 8_2_00424FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 8_2_00413F8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 9_2_050CA5A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 9_2_050CD9A8

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: rocketmusclesksj.shop
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bLNQtdR/1667-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 169.197.85.95 169.197.85.95
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7079Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1385Host: rocketmusclesksj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588083Host: rocketmusclesksj.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bLNQtdR/1667-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: i.ibb.co
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rocketmusclesksj.shop
Source: 2M1NS61GG8.exe String found in binary or memory: http://kolbi.cz
Source: AddInProcess32.exe, 00000004.00000002.2516044388.0000000005C44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://i.ibb.co
Source: 2M1NS61GG8.exe String found in binary or memory: https://i.ibb.co/bLNQtdR/1667-Final.webp
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rocketmusclesksj.shop/%
Source: AddInProcess32.exe, 00000008.00000002.2502297595.0000000002E14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rocketmusclesksj.shop/0
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rocketmusclesksj.shop/api
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rocketmusclesksj.shop/api.
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rocketmusclesksj.shop:443/api
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anon.com/frit/asfta.dara
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49749 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0042E280 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_0042E280
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0042E280 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 8_2_0042E280
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0042E490 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 8_2_0042E490
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_a6320bf9-5
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\TmpE8D6.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\TmpE8B6.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D1FF8 CreateProcessAsUserW, 0_2_083D1FF8
Detected potential crypto function
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_013F1FE0 0_2_013F1FE0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F78AD9 0_2_02F78AD9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F74A68 0_2_02F74A68
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F7DBF0 0_2_02F7DBF0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F75483 0_2_02F75483
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F741F0 0_2_02F741F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F77280 0_2_02F77280
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F78640 0_2_02F78640
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F78630 0_2_02F78630
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F7BFE8 0_2_02F7BFE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F7D3E8 0_2_02F7D3E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F76F79 0_2_02F76F79
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F734E9 0_2_02F734E9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F788D0 0_2_02F788D0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F788C0 0_2_02F788C0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F76874 0_2_02F76874
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F78438 0_2_02F78438
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F78428 0_2_02F78428
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F7CDE8 0_2_02F7CDE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F77DE8 0_2_02F77DE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F725D8 0_2_02F725D8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F77DD8 0_2_02F77DD8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F79590 0_2_02F79590
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F7414B 0_2_02F7414B
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_02F8CD24 0_2_02F8CD24
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D08C8 0_2_083D08C8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D2A78 0_2_083D2A78
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D7BF0 0_2_083D7BF0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D0BE0 0_2_083D0BE0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D2D20 0_2_083D2D20
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083DB728 0_2_083DB728
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083DF7B9 0_2_083DF7B9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D087A 0_2_083D087A
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D2A68 0_2_083D2A68
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D0260 0_2_083D0260
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D0251 0_2_083D0251
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D1298 0_2_083D1298
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D3318 0_2_083D3318
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D53A0 0_2_083D53A0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D8398 0_2_083D8398
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D0BD1 0_2_083D0BD1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D5408 0_2_083D5408
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D57B0 0_2_083D57B0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08490040 0_2_08490040
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08498860 0_2_08498860
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0849E550 0_2_0849E550
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_084969E8 0_2_084969E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08498AD0 0_2_08498AD0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08493698 0_2_08493698
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08496C49 0_2_08496C49
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08496C58 0_2_08496C58
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08498058 0_2_08498058
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08498851 0_2_08498851
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08493470 0_2_08493470
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08490006 0_2_08490006
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0849802E 0_2_0849802E
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08493480 0_2_08493480
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0849C480 0_2_0849C480
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08494140 0_2_08494140
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_084969D7 0_2_084969D7
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_084941E8 0_2_084941E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_084931E0 0_2_084931E0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_084931F0 0_2_084931F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08492988 0_2_08492988
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08492998 0_2_08492998
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08497A49 0_2_08497A49
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08497A58 0_2_08497A58
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0849BE18 0_2_0849BE18
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08491E2A 0_2_08491E2A
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08491E30 0_2_08491E30
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08498AC1 0_2_08498AC1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08493689 0_2_08493689
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_084997C9 0_2_084997C9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08492FD8 0_2_08492FD8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08492FE8 0_2_08492FE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08499BFA 0_2_08499BFA
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0849C798 0_2_0849C798
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08499BA3 0_2_08499BA3
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D160B0 0_2_08D160B0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D1B9F0 0_2_08D1B9F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D16948 0_2_08D16948
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D17298 0_2_08D17298
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D1EA10 0_2_08D1EA10
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D18208 0_2_08D18208
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D14329 0_2_08D14329
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D10DE8 0_2_08D10DE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D16061 0_2_08D16061
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D16007 0_2_08D16007
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D1A838 0_2_08D1A838
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D16946 0_2_08D16946
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D17296 0_2_08D17296
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D1A3B8 0_2_08D1A3B8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D14353 0_2_08D14353
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D1AB28 0_2_08D1AB28
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D154DF 0_2_08D154DF
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D154F0 0_2_08D154F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D1A5D8 0_2_08D1A5D8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_08D19D10 0_2_08D19D10
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E741650 0_2_0E741650
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74F750 0_2_0E74F750
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74C5E8 0_2_0E74C5E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74D268 0_2_0E74D268
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74BFEB 0_2_0E74BFEB
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E745A2C 0_2_0E745A2C
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E745840 0_2_0E745840
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E745839 0_2_0E745839
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74591D 0_2_0E74591D
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74164E 0_2_0E74164E
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74F740 0_2_0E74F740
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74C593 0_2_0E74C593
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74D259 0_2_0E74D259
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74C008 0_2_0E74C008
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7440C0 0_2_0E7440C0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7440B1 0_2_0E7440B1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E77B648 0_2_0E77B648
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E77B010 0_2_0E77B010
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E77D000 0_2_0E77D000
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E77C4A0 0_2_0E77C4A0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E777B90 0_2_0E777B90
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E778EF8 0_2_0E778EF8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7745C8 0_2_0E7745C8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7745B8 0_2_0E7745B8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E77BFA8 0_2_0E77BFA8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E774191 0_2_0E774191
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E792618 0_2_0E792618
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79DEC8 0_2_0E79DEC8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7956B8 0_2_0E7956B8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79FB90 0_2_0E79FB90
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B8A8 0_2_0E79B8A8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79D001 0_2_0E79D001
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E798640 0_2_0E798640
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79DE38 0_2_0E79DE38
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79862F 0_2_0E79862F
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79260B 0_2_0E79260B
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E796EC0 0_2_0E796EC0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E796EBF 0_2_0E796EBF
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7956A8 0_2_0E7956A8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79EF68 0_2_0E79EF68
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79ACC8 0_2_0E79ACC8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79ACC3 0_2_0E79ACC3
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B202 0_2_0E79B202
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7962A8 0_2_0E7962A8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E796298 0_2_0E796298
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E798BF0 0_2_0E798BF0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E798BE1 0_2_0E798BE1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B071 0_2_0E79B071
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B898 0_2_0E79B898
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B086 0_2_0E79B086
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B147 0_2_0E79B147
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B132 0_2_0E79B132
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79C9F0 0_2_0E79C9F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79B1ED 0_2_0E79B1ED
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79C9E3 0_2_0E79C9E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02664C88 4_2_02664C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02667380 4_2_02667380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02667F98 4_2_02667F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02669228 4_2_02669228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_05B32388 4_2_05B32388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_05B3A940 4_2_05B3A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_05B32379 4_2_05B32379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_05B3C2B0 4_2_05B3C2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E60B30 4_2_06E60B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E6EA70 4_2_06E6EA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E6EA3D 4_2_06E6EA3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07194F90 4_2_07194F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0719AD88 4_2_0719AD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071951C8 4_2_071951C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071989F0 4_2_071989F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071959E0 4_2_071959E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07193828 4_2_07193828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07190B31 4_2_07190B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07190B88 4_2_07190B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07194F80 4_2_07194F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071947C0 4_2_071947C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0719EEC8 4_2_0719EEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07193AC8 4_2_07193AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07199120 4_2_07199120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07194158 4_2_07194158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0719F948 4_2_0719F948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07194148 4_2_07194148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071951B8 4_2_071951B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07193817 4_2_07193817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07190007 4_2_07190007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07197830 4_2_07197830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07197820 4_2_07197820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07190040 4_2_07190040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BD750 4_2_071BD750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BB748 4_2_071BB748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BBE70 4_2_071BBE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BC840 4_2_071BC840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071B9888 4_2_071B9888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BB716 4_2_071BB716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BAB07 4_2_071BAB07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BD731 4_2_071BD731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BFA98 4_2_071BFA98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BFA88 4_2_071BFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BE5F8 4_2_071BE5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BF1F0 4_2_071BF1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BE5E9 4_2_071BE5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BF1E0 4_2_071BF1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071B0006 4_2_071B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BF85A 4_2_071BF85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BF860 4_2_071BF860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071BF4E0 4_2_071BF4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07721618 4_2_07721618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0772C072 4_2_0772C072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0772C078 4_2_0772C078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E60B17 4_2_06E60B17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00422440 8_2_00422440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00421A10 8_2_00421A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00404BD0 8_2_00404BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_004100C0 8_2_004100C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_004041D0 8_2_004041D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_004221E2 8_2_004221E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0043B260 8_2_0043B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00408230 8_2_00408230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00403340 8_2_00403340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00406590 8_2_00406590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0041D5BE 8_2_0041D5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_004016F0 8_2_004016F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00403720 8_2_00403720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00405810 8_2_00405810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00416ADD 8_2_00416ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00406C20 8_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00426E67 8_2_00426E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0043AF20 8_2_0043AF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0041DFC2 8_2_0041DFC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00F3E3E8 9_2_00F3E3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00F3E3D8 9_2_00F3E3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00F30878 9_2_00F30878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00F30868 9_2_00F30868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00F34DD0 9_2_00F34DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_050C86F4 9_2_050C86F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_050CB143 9_2_050CB143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_050CB150 9_2_050CB150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720A978 9_2_0720A978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720D288 9_2_0720D288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720DA08 9_2_0720DA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720DA18 9_2_0720DA18
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00408D60 appears 46 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 00409450 appears 163 times
Sample file is different than original file name gathered from version info
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRP8PV.dll, vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003248000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTestConnection.exeB vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003248000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRP8PV.dll, vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2439979828.00000000099F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTestConnection.exeB vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2439288632.0000000008C90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBingX API.dll4 vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2411628265.0000000002F20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8PV.dll, vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.00000000042F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBingX API.dll4 vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000000.1655457798.000000000086C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetUserFTA.exe6 vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2409875485.000000000128E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2439979828.0000000009B37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTestConnection.exeB vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe Binary or memory string: OriginalFilenameSetUserFTA.exe6 vs 2M1NS61GG8.exe
Uses 32bit PE files
Source: 2M1NS61GG8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, w9AvI2VIT4G5WFLFibf.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, w9AvI2VIT4G5WFLFibf.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/7@2/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0042A7F1 CoCreateInstance, 8_2_0042A7F1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2M1NS61GG8.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\TmpE8B6.tmp Jump to behavior
Source: 2M1NS61GG8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2M1NS61GG8.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2M1NS61GG8.exe ReversingLabs: Detection: 39%
Source: 2M1NS61GG8.exe Virustotal: Detection: 32%
Source: unknown Process created: C:\Users\user\Desktop\2M1NS61GG8.exe "C:\Users\user\Desktop\2M1NS61GG8.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Google Chrome.lnk.9.dr LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\2M1NS61GG8.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 2M1NS61GG8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 2M1NS61GG8.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 2M1NS61GG8.exe Static file information: File size 5382656 > 1048576
Source: 2M1NS61GG8.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x519200
Source: 2M1NS61GG8.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dllO source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 4.2.AddInProcess32.exe.4ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.4ff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2478930846.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 7600, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: 2M1NS61GG8.exe, Tk.cs .Net Code: NewLateBinding.LateCall(NewLateBinding.LateIndexGet(NewLateBinding.LateGet(obj4, (Type)null, "GetMethods", new object[0], (string[])null, (Type[])null, (bool[])null), new object[1] { 0 }, (string[])null), (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, w9AvI2VIT4G5WFLFibf.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, w9AvI2VIT4G5WFLFibf.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs .Net Code: O7smv2f0AR
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs .Net Code: UYdFMNjxJ9
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs .Net Code: O7smv2f0AR
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs .Net Code: UYdFMNjxJ9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D7920 pushad ; ret 0_2_083D792D
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_083D6443 pushad ; ret 0_2_083D6449
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E744F3B push cs; retf 0_2_0E744F3C
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E748F0E push 08418B05h; ret 0_2_0E748F13
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E74EA88 push es; mov dword ptr [esp], eax 0_2_0E74EAAB
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7459E3 push ecx; ret 0_2_0E7459EC
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E7409AB pushad ; iretd 0_2_0E7409B5
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Code function: 0_2_0E79C6C3 push cs; ret 0_2_0E79C6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E695A8 pushad ; ret 4_2_06E69B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E69AA5 pushad ; ret 4_2_06E69B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E68090 push ecx; ret 4_2_06E680A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06E6805F pushad ; ret 4_2_06E68063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07196596 push esi; retf 4_2_07196597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_07196D82 push 0000005Eh; retf 4_2_07196D84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071B5906 push esi; retf 4_2_071B590A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_071B4CBD push ecx; retf 0040h 4_2_071B4CBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0043F552 push ecx; retf 8_2_0043F559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00440758 push ecx; retf 8_2_00440759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0043DA78 push ECE0CD30h; ret 8_2_0043DABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0043DAC5 push ECE0CD30h; ret 8_2_0043DABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_0043DAA8 push ECE0CD30h; ret 8_2_0043DABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_050C2068 pushfd ; iretd 9_2_050C2069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720A57F push dword ptr [esp+ecx*2-75h]; ret 9_2_0720A583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720C446 push esi; retf 9_2_0720C447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0720B3DB push FFFFFF8Bh; retf 9_2_0720B3DD
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs High entropy of concatenated method names: 'cVPWYtTsup', 'L0jWo2OHZx', 'V2ZWRbWftC', 'UNoWycJ8BL', 'uXbWD2bfL9', 'OyAW32iCth', 'NqYWesuwMC', 'ovMpyvNF5Q', 'IiyWl7pfJj', 'oG0W7W3ujx'
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, w9AvI2VIT4G5WFLFibf.cs High entropy of concatenated method names: 'YGard6El1G', 'g38PJ8K3c0', 'JLNrY0oRkM', 'PUDro8LIgH', 'CVmrRys6yS', 'l75rygIfeK', 'Vt68hxKv4v', 'iHlVsUddhI', 'eAyViyhiwA', 'IkaV0Uy824'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs High entropy of concatenated method names: 'cVPWYtTsup', 'L0jWo2OHZx', 'V2ZWRbWftC', 'UNoWycJ8BL', 'uXbWD2bfL9', 'OyAW32iCth', 'NqYWesuwMC', 'ovMpyvNF5Q', 'IiyWl7pfJj', 'oG0W7W3ujx'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, w9AvI2VIT4G5WFLFibf.cs High entropy of concatenated method names: 'YGard6El1G', 'g38PJ8K3c0', 'JLNrY0oRkM', 'PUDro8LIgH', 'CVmrRys6yS', 'l75rygIfeK', 'Vt68hxKv4v', 'iHlVsUddhI', 'eAyViyhiwA', 'IkaV0Uy824'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe File opened: C:\Users\user\Desktop\2M1NS61GG8.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 2M1NS61GG8.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 7600, type: MEMORYSTR
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\^Q
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,^Q
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 8ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 9ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: A0C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: B0C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: B4B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: C4B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: D4B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: EBA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: FBA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 10BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 11BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 9ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: 9ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: B4B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 2660000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 47E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 77B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 87B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 8960000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 9960000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 9CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: ACC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: BCC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1170000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Window / User API: threadDelayed 511 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Window / User API: threadDelayed 2435 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Window / User API: threadDelayed 473 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Window / User API: threadDelayed 6118 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99760s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99605s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -99062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -98844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -98719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -98609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420 Thread sleep time: -98390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7500 Thread sleep time: -473000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7512 Thread sleep time: -302000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7500 Thread sleep time: -6118000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8048 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8068 Thread sleep time: -53000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7976 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3744 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99760 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99605 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99500 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99390 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99281 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 99062 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 98844 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 98719 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 98609 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 98500 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Thread delayed: delay time: 98390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware svga
Source: 2M1NS61GG8.exe, 00000000.00000002.2410539634.0000000001368000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: AddInProcess32.exe, 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxTray
Source: AddInProcess32.exe, 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,^q
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware pointing device
Source: InstallUtil.exe, 00000009.00000002.2484439385.000000000105F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}fQ*
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware sata
Source: 2M1NS61GG8.exe, 00000000.00000002.2439288632.0000000008C90000.00000004.08000000.00040000.00000000.sdmp, 2M1NS61GG8.exe, 00000000.00000002.2423755750.00000000042F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VirtualMachineDetector
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 00000009.00000002.2484439385.000000000105F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmsrvc
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware vmci bus device
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware usb pointing device
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmusrvc
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\^q
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmtools
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware virtual s scsi disk device
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: 2M1NS61GG8.exe, 00000000.00000002.2439288632.0000000008C90000.00000004.08000000.00040000.00000000.sdmp, 2M1NS61GG8.exe, 00000000.00000002.2423755750.00000000042F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VirtualMachine
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 8_2_00435840 LdrInitializeThunk, 8_2_00435840
Enables debug privileges
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: wifeplasterbakewis.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: mealplayerpreceodsju.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: bordersoarmanusjuw.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: suitcaseacanehalk.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: absentconvicsjawun.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: pushjellysingeywus.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: economicscreateojsu.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: entitlementappwo.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: rocketmusclesksj.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 702000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C0000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C8000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 56D008 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 702000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C0000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C8000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4C3008 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4C0000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4C8000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7AB008 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43F000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 44B000 Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8C8008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 462000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 4BE000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B06008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Users\user\Desktop\2M1NS61GG8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Found many strings related to Crypto-Wallets (likely being stolen)
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AWallets/ElectrumAO
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AWallets/JAXX New VersionA
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: Awindow-state.json
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4Z
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4Z
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\BinanceA%appdata%\Binance
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AWallets/EthereumAo
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AWallets/CoinomiC:\Users\user\AppData\Local\Coinomi\Coinomi\walletsZ
Source: AddInProcess32.exe, 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: AC:\Users\user\AppData\Roaming\Ledger Live+Z
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 7984, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429054 Sample: 2M1NS61GG8.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 30 rocketmusclesksj.shop 2->30 32 i.ibb.co 2->32 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 14 other signatures 2->44 9 2M1NS61GG8.exe 15 3 2->9         started        signatures3 process4 dnsIp5 34 i.ibb.co 169.197.85.95, 443, 49732 PUREVOLTAGE-INCUS United States 9->34 36 8.8.8.8 GOOGLEUS United States 9->36 50 Writes to foreign memory regions 9->50 52 Allocates memory in foreign processes 9->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->54 56 2 other signatures 9->56 13 AddInProcess32.exe 3 9->13         started        16 AddInProcess32.exe 9->16         started        19 AddInProcess32.exe 9->19         started        21 AddInProcess32.exe 9->21         started        signatures6 process7 dnsIp8 58 Found many strings related to Crypto-Wallets (likely being stolen) 13->58 60 Writes to foreign memory regions 13->60 62 Allocates memory in foreign processes 13->62 72 2 other signatures 13->72 23 InstallUtil.exe 1 24 13->23         started        28 rocketmusclesksj.shop 172.67.129.243, 443, 49742, 49743 CLOUDFLARENETUS United States 16->28 64 Query firmware table information (likely to detect VMs) 16->64 66 Installs new ROOT certificates 16->66 68 Tries to harvest and steal browser information (history, passwords, etc) 16->68 70 Tries to steal Crypto Currency Wallets 16->70 signatures9 process10 signatures11 46 Installs new ROOT certificates 23->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->48 26 conhost.exe 23->26         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
 unknown United States
15169 GOOGLEUS false
172.67.129.243
 rocketmusclesksj.shop United States
13335 CLOUDFLARENETUS true
169.197.85.95
 i.ibb.co United States
26548 PUREVOLTAGE-INCUS false

Contacted Domains

Name IP Active
rocketmusclesksj.shop 172.67.129.243 true
i.ibb.co 169.197.85.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
pushjellysingeywus.shop true unknown
rocketmusclesksj.shop true
    		unknown
    https://i.ibb.co/bLNQtdR/1667-Final.webp false
      		high
      bordersoarmanusjuw.shop true unknown
      economicscreateojsu.shop true unknown
      wifeplasterbakewis.shop true unknown
      https://rocketmusclesksj.shop/api false
        		unknown
        suitcaseacanehalk.shop true unknown
        entitlementappwo.shop true unknown
        mealplayerpreceodsju.shop true unknown
        absentconvicsjawun.shop true unknown