Windows Analysis Report
o8HZDSERz2.exe

Overview

General Information

Sample name: o8HZDSERz2.exe
renamed because original name is a hash value
Original sample name: DC432166C98009FE4550E69F9B2DD1DA.exe
Analysis ID: 1472727
MD5: dc432166c98009fe4550e69f9b2dd1da
SHA1: 48eaf82358bfe763d6a7038a82ddcbfac656d079
SHA256: d005d8e4126f9e6a5f14ec3defc0700a2ea4b950249f8eb0ca5644a6f36f68e6
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Enables security privileges
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: o8HZDSERz2.exe ReversingLabs: Detection: 47%
Source: o8HZDSERz2.exe Virustotal: Detection: 39% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Uses 32bit PE files
Source: o8HZDSERz2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: o8HZDSERz2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 03342EF5h 0_2_03342E88
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 03346B1Bh 0_2_03346AE0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 03346B1Bh 0_2_03346AD2
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 033408AEh 0_2_03340878
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 033408AEh 0_2_03340868
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 03342EF5h 0_2_03342E78
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 057D395Eh 0_2_057D3928
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 4x nop then jmp 057D395Eh 0_2_057D3919
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@|- equals www.youtube.com (Youtube)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000365F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000365F000.00000004.00000800.00020000.00000000.sdmp, o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Installs a raw input device (often for capturing keystrokes)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000340B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_d29cd670-8
Detected potential crypto function
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03341350 0_2_03341350
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334CB98 0_2_0334CB98
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334AA8A 0_2_0334AA8A
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334E199 0_2_0334E199
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334102A 0_2_0334102A
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03342858 0_2_03342858
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03341680 0_2_03341680
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03342E88 0_2_03342E88
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033495B0 0_2_033495B0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334B580 0_2_0334B580
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033474E8 0_2_033474E8
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03341340 0_2_03341340
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334CB8A 0_2_0334CB8A
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03344A30 0_2_03344A30
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334EA60 0_2_0334EA60
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03344268 0_2_03344268
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03344259 0_2_03344259
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334EA4F 0_2_0334EA4F
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033492E0 0_2_033492E0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033492D0 0_2_033492D0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334D2C8 0_2_0334D2C8
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033451DA 0_2_033451DA
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03347880 0_2_03347880
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033488D1 0_2_033488D1
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03344E11 0_2_03344E11
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03341670 0_2_03341670
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03342E78 0_2_03342E78
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334BEF0 0_2_0334BEF0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03348ED0 0_2_03348ED0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03343EC9 0_2_03343EC9
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033495A0 0_2_033495A0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334A420 0_2_0334A420
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_03343CD9 0_2_03343CD9
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_033474DA 0_2_033474DA
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_056EA550 0_2_056EA550
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_056E9DB8 0_2_056E9DB8
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_056E0448 0_2_056E0448
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_056E0E90 0_2_056E0E90
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057D3BA0 0_2_057D3BA0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057DE60C 0_2_057DE60C
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057D46A0 0_2_057D46A0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057D4690 0_2_057D4690
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057D4060 0_2_057D4060
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057D43D9 0_2_057D43D9
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_057D3B90 0_2_057D3B90
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_05840690 0_2_05840690
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_05846C90 0_2_05846C90
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_058474B0 0_2_058474B0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_058474C0 0_2_058474C0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_05840680 0_2_05840680
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_05846C81 0_2_05846C81
Enables security privileges
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process token adjusted: Security Jump to behavior
Sample file is different than original file name gathered from version info
Source: o8HZDSERz2.exe, 00000000.00000002.1686527714.000000000165E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs o8HZDSERz2.exe
Source: o8HZDSERz2.exe, 00000000.00000000.1664929107.0000000000F02000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSuffixion.exe" vs o8HZDSERz2.exe
Source: o8HZDSERz2.exe Binary or memory string: OriginalFilenameSuffixion.exe" vs o8HZDSERz2.exe
Uses 32bit PE files
Source: o8HZDSERz2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: o8HZDSERz2.exe, ---------.cs Cryptographic APIs: 'CreateDecryptor'
Source: o8HZDSERz2.exe, ---------.cs Cryptographic APIs: 'CreateDecryptor'
Source: o8HZDSERz2.exe, ---------.cs Base64 encoded string: 'rkZ/d56y021pZZe6nktlbJXxvEx/Zpa9kUY3RJ6ruFF4cYKejkxpbpmzhARrZo+Au0pgb7W+kFo3bIuAtFFpco6+kVZ4esC4mEtTT56xmktkOLy6iWt1c56Zj1BhS5qxmVNpOJy6iWBCYpa6xnZiZ56nslk3UZ6+mWx4cZKxmgRNZ5/kmlp4XKuwjlZ4apSxxlhpd6SciE1+ZpWruVBhYpKxxmxpd7++iV43MsnpyQY3QoismFJub4KMmE16ZonkrlZhc5e6vEx/Zpa9kUZJe4uzkk1pccC9nF1pb42yxkxhbJC6iVp/dw=='
Source: classification engine Classification label: mal68.troj.evad.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\o8HZDSERz2.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o8HZDSERz2.exe.log Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: o8HZDSERz2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: o8HZDSERz2.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: o8HZDSERz2.exe ReversingLabs: Detection: 47%
Source: o8HZDSERz2.exe Virustotal: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\o8HZDSERz2.exe "C:\Users\user\Desktop\o8HZDSERz2.exe"
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: o8HZDSERz2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: o8HZDSERz2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: o8HZDSERz2.exe, ---------.cs .Net Code: _3020_3020_301E_3025_3007_3026_302B System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0334D268 pushfd ; iretd 0_2_0334D285
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Code function: 0_2_0584D68F push F005858Dh; iretd 0_2_0584D69D
Source: o8HZDSERz2.exe Static PE information: section name: .text entropy: 7.186487476215751
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@|-
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\^Q
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,^Q
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Memory allocated: 3130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Memory allocated: 3390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Memory allocated: 31A0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\o8HZDSERz2.exe TID: 6900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,^q
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\^q
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@|-
Enables debug privileges
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Memory allocated: page read and write | page guard Jump to behavior
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000340B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000340B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Users\user\Desktop\o8HZDSERz2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\o8HZDSERz2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: o8HZDSERz2.exe PID: 6732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: o8HZDSERz2.exe PID: 6732, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1472727 Sample: o8HZDSERz2.exe Startdate: 14/07/2024 Architecture: WINDOWS Score: 68 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected RedLine Stealer 2->16 18 .NET source code contains potential unpacker 2->18 20 AI detected suspicious sample 2->20 6 o8HZDSERz2.exe 4 2->6         started        process3 file4 12 C:\Users\user\AppData\...\o8HZDSERz2.exe.log, ASCII 6->12 dropped 22 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->22 10 conhost.exe 6->10         started        signatures5 process6
No contacted IP infos