Edit tour

Windows Analysis Report
INV76280.exe

Overview

General Information

Sample name:	INV76280.exe
Analysis ID:	1620277
MD5:	a8d0ed16c6dd069508a73a97740c9026
SHA1:	a83e96c4187e37c10e7796c2b5efaeacb8d7b2e9
SHA256:	078263b898d23617f9d122ed659a6262ec0e90f284e429af3d08ef6da5d31b47
Tags:	exeuser-cocaman
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

INV76280.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\INV76280.exe" MD5: A8D0ED16C6DD069508A73A97740C9026)

powershell.exe (PID: 7744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7956 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

INV76280.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\INV76280.exe" MD5: A8D0ED16C6DD069508A73A97740C9026)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7450043306:AAGNBMQldCanUOMyyWtvmUfaSV3CgvikQIs", "Telegram Chatid": "5808342376"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf815:$a1: get_encryptedPassword 0xfb3d:$a2: get_encryptedUsername 0xf5a2:$a3: get_timePasswordChanged 0xf6c3:$a4: get_passwordField 0xf82b:$a5: set_encryptedPassword 0x11189:$a7: get_logins 0x10e3a:$a8: GetOutlookPasswords 0x10c2c:$a9: StartKeylogger 0x110d9:$a10: KeyLoggerEventArgs 0x10c89:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10385:$a1: get_encryptedPassword 0x279a5:$a1: get_encryptedPassword 0x3edc5:$a1: get_encryptedPassword 0x106ad:$a2: get_encryptedUsername 0x27ccd:$a2: get_encryptedUsername 0x3f0ed:$a2: get_encryptedUsername 0x10112:$a3: get_timePasswordChanged 0x27732:$a3: get_timePasswordChanged 0x3eb52:$a3: get_timePasswordChanged 0x10233:$a4: get_passwordField 0x27853:$a4: get_passwordField 0x3ec73:$a4: get_passwordField 0x1039b:$a5: set_encryptedPassword 0x279bb:$a5: set_encryptedPassword 0x3eddb:$a5: set_encryptedPassword 0x11cf9:$a7: get_logins 0x29319:$a7: get_logins 0x40739:$a7: get_logins 0x119aa:$a8: GetOutlookPasswords 0x28fca:$a8: GetOutlookPasswords 0x403ea:$a8: GetOutlookPasswords
Process Memory Space: INV76280.exe PID: 7500	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: INV76280.exe PID: 7500	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: INV76280.exe PID: 7500	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: INV76280.exe PID: 7500	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: INV76280.exe PID: 7500	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5da45:$a1: get_encryptedPassword 0x5dd5e:$a2: get_encryptedUsername 0x5d7e6:$a3: get_timePasswordChanged 0x5d907:$a4: get_passwordField 0x5da5b:$a5: set_encryptedPassword 0x5f360:$a7: get_logins 0x5f011:$a8: GetOutlookPasswords 0x5ee03:$a9: StartKeylogger 0x5f2b0:$a10: KeyLoggerEventArgs 0x5ee60:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: INV76280.exe PID: 7752	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: INV76280.exe PID: 7752	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: INV76280.exe PID: 7752	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: INV76280.exe PID: 7752	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5949:$a1: get_encryptedPassword 0x5c62:$a2: get_encryptedUsername 0x56ea:$a3: get_timePasswordChanged 0x580b:$a4: get_passwordField 0x595f:$a5: set_encryptedPassword 0x7264:$a7: get_logins 0x6f15:$a8: GetOutlookPasswords 0x6d07:$a9: StartKeylogger 0x71b4:$a10: KeyLoggerEventArgs 0x6d64:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.INV76280.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.INV76280.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
3.2.INV76280.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INV76280.exe.40d9970.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.INV76280.exe.40d9970.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.INV76280.exe.40d9970.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.INV76280.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa15:$a1: get_encryptedPassword 0xfd3d:$a2: get_encryptedUsername 0xf7a2:$a3: get_timePasswordChanged 0xf8c3:$a4: get_passwordField 0xfa2b:$a5: set_encryptedPassword 0x11389:$a7: get_logins 0x1103a:$a8: GetOutlookPasswords 0x10e2c:$a9: StartKeylogger 0x112d9:$a10: KeyLoggerEventArgs 0x10e89:$a11: KeyLoggerEventArgsEventHandler
0.2.INV76280.exe.40d9970.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdc15:$a1: get_encryptedPassword 0xdf3d:$a2: get_encryptedUsername 0xd9a2:$a3: get_timePasswordChanged 0xdac3:$a4: get_passwordField 0xdc2b:$a5: set_encryptedPassword 0xf589:$a7: get_logins 0xf23a:$a8: GetOutlookPasswords 0xf02c:$a9: StartKeylogger 0xf4d9:$a10: KeyLoggerEventArgs 0xf089:$a11: KeyLoggerEventArgsEventHandler
3.2.INV76280.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14b8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1408b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14399:$a4: \Orbitum\User Data\Default\Login Data 0x15191:$a5: \Kometa\User Data\Default\Login Data
0.2.INV76280.exe.40d9970.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12d8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1228b:$a3: \Google\Chrome\User Data\Default\Login Data 0x12599:$a4: \Orbitum\User Data\Default\Login Data 0x13391:$a5: \Kometa\User Data\Default\Login Data
0.2.INV76280.exe.40f0f90.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.INV76280.exe.40f0f90.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.INV76280.exe.40f0f90.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INV76280.exe.40f0f90.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdc15:$a1: get_encryptedPassword 0xdf3d:$a2: get_encryptedUsername 0xd9a2:$a3: get_timePasswordChanged 0xdac3:$a4: get_passwordField 0xdc2b:$a5: set_encryptedPassword 0xf589:$a7: get_logins 0xf23a:$a8: GetOutlookPasswords 0xf02c:$a9: StartKeylogger 0xf4d9:$a10: KeyLoggerEventArgs 0xf089:$a11: KeyLoggerEventArgsEventHandler
0.2.INV76280.exe.40f0f90.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12d8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1228b:$a3: \Google\Chrome\User Data\Default\Login Data 0x12599:$a4: \Orbitum\User Data\Default\Login Data 0x13391:$a5: \Kometa\User Data\Default\Login Data
0.2.INV76280.exe.40f0f90.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.INV76280.exe.40f0f90.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.INV76280.exe.40f0f90.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INV76280.exe.40f0f90.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa15:$a1: get_encryptedPassword 0x26e35:$a1: get_encryptedPassword 0xfd3d:$a2: get_encryptedUsername 0x2715d:$a2: get_encryptedUsername 0xf7a2:$a3: get_timePasswordChanged 0x26bc2:$a3: get_timePasswordChanged 0xf8c3:$a4: get_passwordField 0x26ce3:$a4: get_passwordField 0xfa2b:$a5: set_encryptedPassword 0x26e4b:$a5: set_encryptedPassword 0x11389:$a7: get_logins 0x287a9:$a7: get_logins 0x1103a:$a8: GetOutlookPasswords 0x2845a:$a8: GetOutlookPasswords 0x10e2c:$a9: StartKeylogger 0x2824c:$a9: StartKeylogger 0x112d9:$a10: KeyLoggerEventArgs 0x286f9:$a10: KeyLoggerEventArgs 0x10e89:$a11: KeyLoggerEventArgsEventHandler 0x282a9:$a11: KeyLoggerEventArgsEventHandler
0.2.INV76280.exe.40f0f90.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14b8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2bfad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1408b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2b4ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x14399:$a4: \Orbitum\User Data\Default\Login Data 0x2b7b9:$a4: \Orbitum\User Data\Default\Login Data 0x15191:$a5: \Kometa\User Data\Default\Login Data 0x2c5b1:$a5: \Kometa\User Data\Default\Login Data
0.2.INV76280.exe.40d9970.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.INV76280.exe.40d9970.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.INV76280.exe.40d9970.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.INV76280.exe.40d9970.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa15:$a1: get_encryptedPassword 0x27035:$a1: get_encryptedPassword 0x3e455:$a1: get_encryptedPassword 0xfd3d:$a2: get_encryptedUsername 0x2735d:$a2: get_encryptedUsername 0x3e77d:$a2: get_encryptedUsername 0xf7a2:$a3: get_timePasswordChanged 0x26dc2:$a3: get_timePasswordChanged 0x3e1e2:$a3: get_timePasswordChanged 0xf8c3:$a4: get_passwordField 0x26ee3:$a4: get_passwordField 0x3e303:$a4: get_passwordField 0xfa2b:$a5: set_encryptedPassword 0x2704b:$a5: set_encryptedPassword 0x3e46b:$a5: set_encryptedPassword 0x11389:$a7: get_logins 0x289a9:$a7: get_logins 0x3fdc9:$a7: get_logins 0x1103a:$a8: GetOutlookPasswords 0x2865a:$a8: GetOutlookPasswords 0x3fa7a:$a8: GetOutlookPasswords
0.2.INV76280.exe.40d9970.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14b8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2c1ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x435cd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1408b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2b6ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x42acb:$a3: \Google\Chrome\User Data\Default\Login Data 0x14399:$a4: \Orbitum\User Data\Default\Login Data 0x2b9b9:$a4: \Orbitum\User Data\Default\Login Data 0x42dd9:$a4: \Orbitum\User Data\Default\Login Data 0x15191:$a5: \Kometa\User Data\Default\Login Data 0x2c7b1:$a5: \Kometa\User Data\Default\Login Data 0x43bd1:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV76280.exe", ParentImage: C:\Users\user\Desktop\INV76280.exe, ParentProcessId: 7500, ParentProcessName: INV76280.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe", ProcessId: 7744, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV76280.exe", ParentImage: C:\Users\user\Desktop\INV76280.exe, ParentProcessId: 7500, ParentProcessName: INV76280.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe", ProcessId: 7744, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T20:13:11.095877+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7450043306:AAGNBMQldCanUOMyyWtvmUfaSV3CgvikQIs", "Telegram Chatid": "5808342376"}

Multi AV Scanner detection for submitted file

Source: INV76280.exe	Virustotal: Detection: 32%			Perma Link
Source: INV76280.exe	ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: INV76280.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: INV76280.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: seY.pdb source: INV76280.exe
Source:	Binary string: seY.pdbSHA256A source: INV76280.exe

Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 00DB9731h	3_2_00DB9480
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 00DB9E5Ah	3_2_00DB9A40
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 00DB9E5Ah	3_2_00DB9A30
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 00DB9E5Ah	3_2_00DB9D87
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 054247C9h	3_2_05424520
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05428830h	3_2_05428588
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 0542F700h	3_2_0542F458
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 054276D0h	3_2_05427428
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 0542E9F8h	3_2_0542E750
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05425929h	3_2_05425680
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 054283D8h	3_2_05428130
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 0542E5A0h	3_2_0542E180
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 0542F2A8h	3_2_0542F000
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 054254D1h	3_2_05425228
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05425079h	3_2_05424DD0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05427F80h	3_2_05427CD8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05427278h	3_2_05426FD0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05424C21h	3_2_05424978
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05427B28h	3_2_05427880
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 0542FB58h	3_2_0542F8B0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 0542EE50h	3_2_0542EBA8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 4x nop then jmp 05425E15h	3_2_05425AD8

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2951974798.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: INV76280.exe, 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: INV76280.exe, 00000000.00000002.1732594225.000000000328B000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2951974798.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INV76280.exe, 00000000.00000002.1736168407.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: INV76280.exe, 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: INV76280.exe, 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: INV76280.exe, 00000003.00000002.2951974798.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_02F74AE1	0_2_02F74AE1
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_02F7D6CC	0_2_02F7D6CC
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CAA48	0_2_091CAA48
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CC120	0_2_091CC120
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CF2B8	0_2_091CF2B8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CF2A8	0_2_091CF2A8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CF590	0_2_091CF590
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CF5A0	0_2_091CF5A0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CE630	0_2_091CE630
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_00DBC530	3_2_00DBC530
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_00DB27B9	3_2_00DB27B9
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_00DB2DD1	3_2_00DB2DD1
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_00DB9480	3_2_00DB9480
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_00DBC521	3_2_00DBC521
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_00DB946F	3_2_00DB946F
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05426138	3_2_05426138
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542BC60	3_2_0542BC60
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542AF00	3_2_0542AF00
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_054289E0	3_2_054289E0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05428579	3_2_05428579
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542450F	3_2_0542450F
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05424520	3_2_05424520
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05428588	3_2_05428588
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542F448	3_2_0542F448
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542F458	3_2_0542F458
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05427418	3_2_05427418
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05427428	3_2_05427428
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542E740	3_2_0542E740
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542E750	3_2_0542E750
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05425680	3_2_05425680
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05428120	3_2_05428120
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542612A	3_2_0542612A
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05428130	3_2_05428130
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542E180	3_2_0542E180
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542F000	3_2_0542F000
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05420320	3_2_05420320
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05420330	3_2_05420330
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_054213A8	3_2_054213A8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542521A	3_2_0542521A
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05425228	3_2_05425228
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05424DC0	3_2_05424DC0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05424DD0	3_2_05424DD0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05427CC8	3_2_05427CC8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05420CD8	3_2_05420CD8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05427CD8	3_2_05427CD8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05426FC3	3_2_05426FC3
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05426FD0	3_2_05426FD0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542EFF0	3_2_0542EFF0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05424969	3_2_05424969
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05424978	3_2_05424978
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_054289D0	3_2_054289D0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05427871	3_2_05427871
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05427880	3_2_05427880
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542F8A1	3_2_0542F8A1
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542F8B0	3_2_0542F8B0
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542EB98	3_2_0542EB98
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_0542EBA8	3_2_0542EBA8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05425ACA	3_2_05425ACA
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05425AD8	3_2_05425AD8
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 3_2_05420AB8	3_2_05420AB8

Source: INV76280.exe, 00000000.00000002.1732594225.000000000328B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs INV76280.exe
Source: INV76280.exe, 00000000.00000002.1738398545.000000000B700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs INV76280.exe
Source: INV76280.exe, 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs INV76280.exe
Source: INV76280.exe, 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs INV76280.exe
Source: INV76280.exe, 00000000.00000000.1702885688.0000000000E06000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameseY.exeF vs INV76280.exe
Source: INV76280.exe, 00000000.00000002.1737484691.0000000007E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs INV76280.exe
Source: INV76280.exe, 00000000.00000002.1730268989.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INV76280.exe
Source: INV76280.exe, 00000000.00000002.1734104550.0000000004932000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs INV76280.exe
Source: INV76280.exe, 00000003.00000002.2949788943.00000000008F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs INV76280.exe
Source: INV76280.exe, 00000003.00000002.2949993730.00000000009F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INV76280.exe
Source: INV76280.exe, 00000003.00000002.2949311518.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs INV76280.exe
Source: INV76280.exe	Binary or memory string: OriginalFilenameseY.exeF vs INV76280.exe

Source: INV76280.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: INV76280.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.INV76280.exe.b700000.6.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\INV76280.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV76280.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbd3dx4d.u1g.ps1

Jump to behavior

Source: INV76280.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: INV76280.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\INV76280.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: INV76280.exe, 00000003.00000002.2951974798.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2951974798.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp, INV76280.exe, 00000003.00000002.2951974798.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: INV76280.exe	Virustotal: Detection: 32%
Source: INV76280.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\INV76280.exe "C:\Users\user\Desktop\INV76280.exe"
Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe"
Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Users\user\Desktop\INV76280.exe "C:\Users\user\Desktop\INV76280.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Users\user\Desktop\INV76280.exe "C:\Users\user\Desktop\INV76280.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\INV76280.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: INV76280.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INV76280.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: INV76280.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: seY.pdb source: INV76280.exe
Source:	Binary string: seY.pdbSHA256A source: INV76280.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.INV76280.exe.b700000.6.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	.Net Code: F2ogFMPTZ3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	.Net Code: F2ogFMPTZ3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.INV76280.exe.7e20000.5.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	.Net Code: F2ogFMPTZ3 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091C9A68 push eax; ret	0_2_091C9A69
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091C9E01 push esp; ret	0_2_091C9E0D
Source: C:\Users\user\Desktop\INV76280.exe	Code function: 0_2_091CA7E8 pushfd ; retf	0_2_091CA7E9

Source: INV76280.exe

Static PE information: section name: .text entropy: 7.626623769246916

Source: 0.2.INV76280.exe.b700000.6.raw.unpack, LT5vc3qRISD0cELoWa.cs	High entropy of concatenated method names: 'Dispose', 'IhAmQecJKj', 'vTTa0gYQXr', 'rwc1TpNEsF', 'K6tmVe3gQ3', 'N47mz8jJvO', 'ProcessDialogKey', 'NgTanTUhvx', 'TOcamXj8JQ', 'vWoaaBsNK4'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, e5TabRmmD09KohK25VV.cs	High entropy of concatenated method names: 'u0XlV7oBlL', 'cBdlzotc7K', 'mMgcnao6qR', 'zhQcmi0Dxl', 'KGica4vPfQ', 'J5QcErHJjB', 'XLGcgQlPoL', 'icTc18YB0g', 'ovncNiJiWo', 'ccPcqqAyPn'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, t95b14dZKe2mCeBrIN.cs	High entropy of concatenated method names: 'Yo8JNhSKlh', 'lDKJkgkvdA', 'SYJJKVerQq', 'djOKV73Ksu', 'GhNKz4aXDD', 'ylEJnbL5KO', 'CGiJm7n86P', 'K21JafW3fv', 'rSbJEx5coA', 'O9WJgRslDU'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	High entropy of concatenated method names: 'TJcE1EqZDt', 'VWpENMoBQU', 'gSDEqj07UV', 'e8WEkc4BFL', 'Hf6E8h4Ol1', 'uUwEKd8c1n', 'gYZEJZ3gDQ', 'nYyEroJDAS', 'u3QEefkS6g', 'YjVEfqMVsp'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, MXYI5lmgVUN3E9pwxL0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iOFZywmuAR', 'sZTZlIIQ0P', 'yS4ZccptLd', 'nptZZdmjrB', 'n1qZMUepAi', 'fYwZv1g6rR', 'WM1ZWyprRL'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, bIWldTznoafjQkn3ph.cs	High entropy of concatenated method names: 'WlBlbvgAvk', 'gZ1l7tpNsQ', 'Iw6lu1GopP', 'jR1lC4Bgna', 'fqjl0fJ1Mc', 'r2QlAMpccR', 'sbFlGPfdO4', 'myhlWZCo2L', 'GG1lLNC66y', 'wsPlRm5qNt'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, HUXLaGmnCV39G7iMqqX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K4pl4roeqD', 'IMGlY0QYx0', 'AT5l3qRHrT', 'iSYliBXjOV', 'PcvlItdGkp', 'bAwlOtjoQq', 'sSUlDsUZBI'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, DTliCLBLMFeikdfSdF.cs	High entropy of concatenated method names: 'firwXYVgKi', 'SRZwV45Vt9', 'SkVHnbUhif', 'cUoHm51IHc', 'tIfw4TM7JM', 'Xw0wYfWhU1', 'DfMw3RO4Yx', 'DlEwi669iL', 'KqRwIH7eng', 'IbRwOxubl8'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, KHP8sXDItMTjAbb9Fx.cs	High entropy of concatenated method names: 'zT3wfrDFvM', 'wq9w91Ykls', 'ToString', 'PAPwNifAP4', 'LvUwq9cxLu', 'MwWwkm7Bf6', 'FJkw8UGZsb', 'sBVwKK2IUW', 'be4wJL7QRR', 'lDZwrUAg5g'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, nTUhvxQDOcXj8JQMWo.cs	High entropy of concatenated method names: 'WyYyCpHBfi', 'LsVy0gJWCa', 'XldySHM6uR', 'CSRyA8XLBm', 'pguyGOmk7o', 'MfryPlA2C1', 'nI2ydjj1pC', 'wwDysCxfj4', 'FoIy2AnBGm', 'hT2y67NGBq'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, zMOkPApnBT6mGnfLyX.cs	High entropy of concatenated method names: 'hVW8U2Misw', 'Pre8tY63Ml', 'gMlkSQnUkb', 'hIYkA06trX', 'EmwkGmqd77', 'D3HkPRC93B', 'hQgkd7AS52', 'Fk2ksSOVMK', 'zKSk2u6jJW', 'r86k6Okx9r'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, VsNK4wVCfeTYLhMxvD.cs	High entropy of concatenated method names: 'eLwlkdG8cZ', 'pVQl8bepoP', 'rqrlKKwEwq', 'FpClJr2IBy', 'UYalyyAW4O', 'hR4lrXwlvQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, A9C2IOugWjFnITE7N5.cs	High entropy of concatenated method names: 'YiNkheDmjO', 'xqGkbPviKG', 'iNpk7IDIOO', 'Ob1kucCIOC', 'jMGkxYF6Nh', 'aknkjZFBjC', 'Ge4kw3phrO', 'oSbkHIYC9L', 'd0tkyBLqd1', 'KCxkl07Bj4'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	High entropy of concatenated method names: 'Ed1qiUo2O6', 'MuaqImLW4a', 'rSDqOufgXl', 'MO3qDhE7fo', 'uG7qoG466r', 'WX7qBk8h77', 'RcSq5GAZZp', 'HEZqXe90Fo', 'ImCqQ1pIGv', 'N3MqVjdGHC'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, EBfvrMCduamRu3Pnbb.cs	High entropy of concatenated method names: 'ypcK1hkH7s', 'J7qKq4Cjpn', 'hgwK84cuVv', 'qfUKJeSAUD', 'OmMKryK5Cc', 'BQk8oETxUN', 'EAy8B3vNVm', 'Wes85fMxVP', 'VC58XJHJGr', 'RWD8Q67hjw'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, npHo3H2p3DbRyrVoXP.cs	High entropy of concatenated method names: 'CmRJLPsG3A', 'QmxJRHc6G9', 'KcMJFRHtH5', 'Re3JhO8DPf', 'YZoJUs9VJE', 'vnJJbj1wZ2', 'b1bJtiK9YG', 'YrmJ7KWdTd', 'URsJujKt9B', 'rOrJp4b65h'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, qFLcOUgId9jqiWhOWs.cs	High entropy of concatenated method names: 'wZ3mJwm9hr', 'kgNmrHKftv', 'SgWmfjFnIT', 'c7Nm95FMOk', 'afLmxyXuBf', 'vrMmjduamR', 'IW16nXEQY9BbRZBojK', 'CgwBkVj2ngsG2Qp07t', 'wqimmQ4lYH', 'ynymEfrLjJ'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, OAoMZSa1ndGulih0Co.cs	High entropy of concatenated method names: 'fR5Fj5lft', 'AxCh68XAL', 'Wu6byR3KM', 'FVItmScCO', 'JciukjKYu', 'dCspjgspG', 'NsJuTty0v2JEYAsgEg', 'BttJjFaWUcfFPmviDn', 'MMDHGLDt6', 'mP6l1vVCM'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, RTGgJj3kWkVMwsrvu5.cs	High entropy of concatenated method names: 'OuuT7Ggsd1', 'NGXTutFxb6', 'F61TCjKmcy', 'jQ4T009xwR', 'cqbTAQddxR', 'M0kTGaTyQ2', 'WsjTda5u4v', 'ry5TsXbD15', 'Xk8T6nIjII', 'lxST4WZtDG'
Source: 0.2.INV76280.exe.b700000.6.raw.unpack, booStM5bBShAecJKjP.cs	High entropy of concatenated method names: 'q5MyxaR9SZ', 'MVyywFi3II', 'PxPyycBsgo', 'sbBycFOWdr', 'qSLyM8QqPQ', 'OO3yW4pjv3', 'Dispose', 'tlOHNWFXLX', 'MgpHqHScJx', 'KxMHk4fuxP'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, LT5vc3qRISD0cELoWa.cs	High entropy of concatenated method names: 'Dispose', 'IhAmQecJKj', 'vTTa0gYQXr', 'rwc1TpNEsF', 'K6tmVe3gQ3', 'N47mz8jJvO', 'ProcessDialogKey', 'NgTanTUhvx', 'TOcamXj8JQ', 'vWoaaBsNK4'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, e5TabRmmD09KohK25VV.cs	High entropy of concatenated method names: 'u0XlV7oBlL', 'cBdlzotc7K', 'mMgcnao6qR', 'zhQcmi0Dxl', 'KGica4vPfQ', 'J5QcErHJjB', 'XLGcgQlPoL', 'icTc18YB0g', 'ovncNiJiWo', 'ccPcqqAyPn'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, t95b14dZKe2mCeBrIN.cs	High entropy of concatenated method names: 'Yo8JNhSKlh', 'lDKJkgkvdA', 'SYJJKVerQq', 'djOKV73Ksu', 'GhNKz4aXDD', 'ylEJnbL5KO', 'CGiJm7n86P', 'K21JafW3fv', 'rSbJEx5coA', 'O9WJgRslDU'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	High entropy of concatenated method names: 'TJcE1EqZDt', 'VWpENMoBQU', 'gSDEqj07UV', 'e8WEkc4BFL', 'Hf6E8h4Ol1', 'uUwEKd8c1n', 'gYZEJZ3gDQ', 'nYyEroJDAS', 'u3QEefkS6g', 'YjVEfqMVsp'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, MXYI5lmgVUN3E9pwxL0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iOFZywmuAR', 'sZTZlIIQ0P', 'yS4ZccptLd', 'nptZZdmjrB', 'n1qZMUepAi', 'fYwZv1g6rR', 'WM1ZWyprRL'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, bIWldTznoafjQkn3ph.cs	High entropy of concatenated method names: 'WlBlbvgAvk', 'gZ1l7tpNsQ', 'Iw6lu1GopP', 'jR1lC4Bgna', 'fqjl0fJ1Mc', 'r2QlAMpccR', 'sbFlGPfdO4', 'myhlWZCo2L', 'GG1lLNC66y', 'wsPlRm5qNt'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, HUXLaGmnCV39G7iMqqX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K4pl4roeqD', 'IMGlY0QYx0', 'AT5l3qRHrT', 'iSYliBXjOV', 'PcvlItdGkp', 'bAwlOtjoQq', 'sSUlDsUZBI'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, DTliCLBLMFeikdfSdF.cs	High entropy of concatenated method names: 'firwXYVgKi', 'SRZwV45Vt9', 'SkVHnbUhif', 'cUoHm51IHc', 'tIfw4TM7JM', 'Xw0wYfWhU1', 'DfMw3RO4Yx', 'DlEwi669iL', 'KqRwIH7eng', 'IbRwOxubl8'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, KHP8sXDItMTjAbb9Fx.cs	High entropy of concatenated method names: 'zT3wfrDFvM', 'wq9w91Ykls', 'ToString', 'PAPwNifAP4', 'LvUwq9cxLu', 'MwWwkm7Bf6', 'FJkw8UGZsb', 'sBVwKK2IUW', 'be4wJL7QRR', 'lDZwrUAg5g'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, nTUhvxQDOcXj8JQMWo.cs	High entropy of concatenated method names: 'WyYyCpHBfi', 'LsVy0gJWCa', 'XldySHM6uR', 'CSRyA8XLBm', 'pguyGOmk7o', 'MfryPlA2C1', 'nI2ydjj1pC', 'wwDysCxfj4', 'FoIy2AnBGm', 'hT2y67NGBq'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, zMOkPApnBT6mGnfLyX.cs	High entropy of concatenated method names: 'hVW8U2Misw', 'Pre8tY63Ml', 'gMlkSQnUkb', 'hIYkA06trX', 'EmwkGmqd77', 'D3HkPRC93B', 'hQgkd7AS52', 'Fk2ksSOVMK', 'zKSk2u6jJW', 'r86k6Okx9r'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, VsNK4wVCfeTYLhMxvD.cs	High entropy of concatenated method names: 'eLwlkdG8cZ', 'pVQl8bepoP', 'rqrlKKwEwq', 'FpClJr2IBy', 'UYalyyAW4O', 'hR4lrXwlvQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, A9C2IOugWjFnITE7N5.cs	High entropy of concatenated method names: 'YiNkheDmjO', 'xqGkbPviKG', 'iNpk7IDIOO', 'Ob1kucCIOC', 'jMGkxYF6Nh', 'aknkjZFBjC', 'Ge4kw3phrO', 'oSbkHIYC9L', 'd0tkyBLqd1', 'KCxkl07Bj4'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	High entropy of concatenated method names: 'Ed1qiUo2O6', 'MuaqImLW4a', 'rSDqOufgXl', 'MO3qDhE7fo', 'uG7qoG466r', 'WX7qBk8h77', 'RcSq5GAZZp', 'HEZqXe90Fo', 'ImCqQ1pIGv', 'N3MqVjdGHC'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, EBfvrMCduamRu3Pnbb.cs	High entropy of concatenated method names: 'ypcK1hkH7s', 'J7qKq4Cjpn', 'hgwK84cuVv', 'qfUKJeSAUD', 'OmMKryK5Cc', 'BQk8oETxUN', 'EAy8B3vNVm', 'Wes85fMxVP', 'VC58XJHJGr', 'RWD8Q67hjw'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, npHo3H2p3DbRyrVoXP.cs	High entropy of concatenated method names: 'CmRJLPsG3A', 'QmxJRHc6G9', 'KcMJFRHtH5', 'Re3JhO8DPf', 'YZoJUs9VJE', 'vnJJbj1wZ2', 'b1bJtiK9YG', 'YrmJ7KWdTd', 'URsJujKt9B', 'rOrJp4b65h'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, qFLcOUgId9jqiWhOWs.cs	High entropy of concatenated method names: 'wZ3mJwm9hr', 'kgNmrHKftv', 'SgWmfjFnIT', 'c7Nm95FMOk', 'afLmxyXuBf', 'vrMmjduamR', 'IW16nXEQY9BbRZBojK', 'CgwBkVj2ngsG2Qp07t', 'wqimmQ4lYH', 'ynymEfrLjJ'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, OAoMZSa1ndGulih0Co.cs	High entropy of concatenated method names: 'fR5Fj5lft', 'AxCh68XAL', 'Wu6byR3KM', 'FVItmScCO', 'JciukjKYu', 'dCspjgspG', 'NsJuTty0v2JEYAsgEg', 'BttJjFaWUcfFPmviDn', 'MMDHGLDt6', 'mP6l1vVCM'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, RTGgJj3kWkVMwsrvu5.cs	High entropy of concatenated method names: 'OuuT7Ggsd1', 'NGXTutFxb6', 'F61TCjKmcy', 'jQ4T009xwR', 'cqbTAQddxR', 'M0kTGaTyQ2', 'WsjTda5u4v', 'ry5TsXbD15', 'Xk8T6nIjII', 'lxST4WZtDG'
Source: 0.2.INV76280.exe.4ab0e50.3.raw.unpack, booStM5bBShAecJKjP.cs	High entropy of concatenated method names: 'q5MyxaR9SZ', 'MVyywFi3II', 'PxPyycBsgo', 'sbBycFOWdr', 'qSLyM8QqPQ', 'OO3yW4pjv3', 'Dispose', 'tlOHNWFXLX', 'MgpHqHScJx', 'KxMHk4fuxP'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, LT5vc3qRISD0cELoWa.cs	High entropy of concatenated method names: 'Dispose', 'IhAmQecJKj', 'vTTa0gYQXr', 'rwc1TpNEsF', 'K6tmVe3gQ3', 'N47mz8jJvO', 'ProcessDialogKey', 'NgTanTUhvx', 'TOcamXj8JQ', 'vWoaaBsNK4'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, e5TabRmmD09KohK25VV.cs	High entropy of concatenated method names: 'u0XlV7oBlL', 'cBdlzotc7K', 'mMgcnao6qR', 'zhQcmi0Dxl', 'KGica4vPfQ', 'J5QcErHJjB', 'XLGcgQlPoL', 'icTc18YB0g', 'ovncNiJiWo', 'ccPcqqAyPn'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, t95b14dZKe2mCeBrIN.cs	High entropy of concatenated method names: 'Yo8JNhSKlh', 'lDKJkgkvdA', 'SYJJKVerQq', 'djOKV73Ksu', 'GhNKz4aXDD', 'ylEJnbL5KO', 'CGiJm7n86P', 'K21JafW3fv', 'rSbJEx5coA', 'O9WJgRslDU'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, dTxvLTrdPrAHnGVZjo.cs	High entropy of concatenated method names: 'TJcE1EqZDt', 'VWpENMoBQU', 'gSDEqj07UV', 'e8WEkc4BFL', 'Hf6E8h4Ol1', 'uUwEKd8c1n', 'gYZEJZ3gDQ', 'nYyEroJDAS', 'u3QEefkS6g', 'YjVEfqMVsp'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, MXYI5lmgVUN3E9pwxL0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iOFZywmuAR', 'sZTZlIIQ0P', 'yS4ZccptLd', 'nptZZdmjrB', 'n1qZMUepAi', 'fYwZv1g6rR', 'WM1ZWyprRL'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, bIWldTznoafjQkn3ph.cs	High entropy of concatenated method names: 'WlBlbvgAvk', 'gZ1l7tpNsQ', 'Iw6lu1GopP', 'jR1lC4Bgna', 'fqjl0fJ1Mc', 'r2QlAMpccR', 'sbFlGPfdO4', 'myhlWZCo2L', 'GG1lLNC66y', 'wsPlRm5qNt'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, HUXLaGmnCV39G7iMqqX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K4pl4roeqD', 'IMGlY0QYx0', 'AT5l3qRHrT', 'iSYliBXjOV', 'PcvlItdGkp', 'bAwlOtjoQq', 'sSUlDsUZBI'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, DTliCLBLMFeikdfSdF.cs	High entropy of concatenated method names: 'firwXYVgKi', 'SRZwV45Vt9', 'SkVHnbUhif', 'cUoHm51IHc', 'tIfw4TM7JM', 'Xw0wYfWhU1', 'DfMw3RO4Yx', 'DlEwi669iL', 'KqRwIH7eng', 'IbRwOxubl8'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, KHP8sXDItMTjAbb9Fx.cs	High entropy of concatenated method names: 'zT3wfrDFvM', 'wq9w91Ykls', 'ToString', 'PAPwNifAP4', 'LvUwq9cxLu', 'MwWwkm7Bf6', 'FJkw8UGZsb', 'sBVwKK2IUW', 'be4wJL7QRR', 'lDZwrUAg5g'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, nTUhvxQDOcXj8JQMWo.cs	High entropy of concatenated method names: 'WyYyCpHBfi', 'LsVy0gJWCa', 'XldySHM6uR', 'CSRyA8XLBm', 'pguyGOmk7o', 'MfryPlA2C1', 'nI2ydjj1pC', 'wwDysCxfj4', 'FoIy2AnBGm', 'hT2y67NGBq'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, zMOkPApnBT6mGnfLyX.cs	High entropy of concatenated method names: 'hVW8U2Misw', 'Pre8tY63Ml', 'gMlkSQnUkb', 'hIYkA06trX', 'EmwkGmqd77', 'D3HkPRC93B', 'hQgkd7AS52', 'Fk2ksSOVMK', 'zKSk2u6jJW', 'r86k6Okx9r'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, VsNK4wVCfeTYLhMxvD.cs	High entropy of concatenated method names: 'eLwlkdG8cZ', 'pVQl8bepoP', 'rqrlKKwEwq', 'FpClJr2IBy', 'UYalyyAW4O', 'hR4lrXwlvQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, A9C2IOugWjFnITE7N5.cs	High entropy of concatenated method names: 'YiNkheDmjO', 'xqGkbPviKG', 'iNpk7IDIOO', 'Ob1kucCIOC', 'jMGkxYF6Nh', 'aknkjZFBjC', 'Ge4kw3phrO', 'oSbkHIYC9L', 'd0tkyBLqd1', 'KCxkl07Bj4'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, Qwm9hr7rgNHKftvgxv.cs	High entropy of concatenated method names: 'Ed1qiUo2O6', 'MuaqImLW4a', 'rSDqOufgXl', 'MO3qDhE7fo', 'uG7qoG466r', 'WX7qBk8h77', 'RcSq5GAZZp', 'HEZqXe90Fo', 'ImCqQ1pIGv', 'N3MqVjdGHC'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, EBfvrMCduamRu3Pnbb.cs	High entropy of concatenated method names: 'ypcK1hkH7s', 'J7qKq4Cjpn', 'hgwK84cuVv', 'qfUKJeSAUD', 'OmMKryK5Cc', 'BQk8oETxUN', 'EAy8B3vNVm', 'Wes85fMxVP', 'VC58XJHJGr', 'RWD8Q67hjw'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, npHo3H2p3DbRyrVoXP.cs	High entropy of concatenated method names: 'CmRJLPsG3A', 'QmxJRHc6G9', 'KcMJFRHtH5', 'Re3JhO8DPf', 'YZoJUs9VJE', 'vnJJbj1wZ2', 'b1bJtiK9YG', 'YrmJ7KWdTd', 'URsJujKt9B', 'rOrJp4b65h'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, qFLcOUgId9jqiWhOWs.cs	High entropy of concatenated method names: 'wZ3mJwm9hr', 'kgNmrHKftv', 'SgWmfjFnIT', 'c7Nm95FMOk', 'afLmxyXuBf', 'vrMmjduamR', 'IW16nXEQY9BbRZBojK', 'CgwBkVj2ngsG2Qp07t', 'wqimmQ4lYH', 'ynymEfrLjJ'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, OAoMZSa1ndGulih0Co.cs	High entropy of concatenated method names: 'fR5Fj5lft', 'AxCh68XAL', 'Wu6byR3KM', 'FVItmScCO', 'JciukjKYu', 'dCspjgspG', 'NsJuTty0v2JEYAsgEg', 'BttJjFaWUcfFPmviDn', 'MMDHGLDt6', 'mP6l1vVCM'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, RTGgJj3kWkVMwsrvu5.cs	High entropy of concatenated method names: 'OuuT7Ggsd1', 'NGXTutFxb6', 'F61TCjKmcy', 'jQ4T009xwR', 'cqbTAQddxR', 'M0kTGaTyQ2', 'WsjTda5u4v', 'ry5TsXbD15', 'Xk8T6nIjII', 'lxST4WZtDG'
Source: 0.2.INV76280.exe.4b0c870.4.raw.unpack, booStM5bBShAecJKjP.cs	High entropy of concatenated method names: 'q5MyxaR9SZ', 'MVyywFi3II', 'PxPyycBsgo', 'sbBycFOWdr', 'qSLyM8QqPQ', 'OO3yW4pjv3', 'Dispose', 'tlOHNWFXLX', 'MgpHqHScJx', 'KxMHk4fuxP'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR

Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 50D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 91D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 7880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: A1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: B1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: B760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: C760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: D760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6278			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3489			Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe TID: 7520	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: INV76280.exe, 00000003.00000002.2949993730.0000000000A27000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.INV76280.exe.40d9970.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe"
Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe"			Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV76280.exe"			Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Process created: C:\Users\user\Desktop\INV76280.exe "C:\Users\user\Desktop\INV76280.exe"			Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Users\user\Desktop\INV76280.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Users\user\Desktop\INV76280.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INV76280.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\INV76280.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\INV76280.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\INV76280.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.INV76280.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40f0f90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV76280.exe.40d9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2949311518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1734104550.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INV76280.exe PID: 7752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INV76280.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
INV76280.exe