Analysis Report B6LNCKjOGt5EmFQ.exe

Overview

General Information

Sample Name: B6LNCKjOGt5EmFQ.exe
Analysis ID: 339499
MD5: 80d255a6a5ec339e15d6fec3c0fef666
SHA1: bca665ff5a6a7084df2d424c0ed7fff3e141acbc
SHA256: 3e48d983e3315501931c646f896a8189637f5b9d21c453b051cd17f2584ee3c4
Tags: exeYahoo

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Avira: detection malicious, Label: TR/Redcap.jajcu
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: Pictures.exe.6240.10.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: LOGO AND PICTURES.exe.6208.9.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5874", "Password: ": "", "From: ": "sales01@seedwellresources.xyz"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: B6LNCKjOGt5EmFQ.exe ReversingLabs: Detection: 26%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: B6LNCKjOGt5EmFQ.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 10.0.Pictures.exe.150000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.0.Pictures.exe.150000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.Pictures.exe.150000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.Pictures.exe.150000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 9.0.LOGO AND PICTURES.exe.db0000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 9.2.LOGO AND PICTURES.exe.db0000.0.unpack Avira: Label: TR/Redcap.jajcu

Compliance:

barindex
Uses 32bit PE files
Source: B6LNCKjOGt5EmFQ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49739 version: TLS 1.0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: B6LNCKjOGt5EmFQ.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 0000000A.00000002.325931485.000000000093D000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, LOGO AND PICTURES.exe
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.604546258.0000000000DB2000.00000002.00020000.sdmp

Spreading:

barindex
May infect USB drives
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Pictures.exe Binary or memory string: autorun.inf
Source: Pictures.exe Binary or memory string: [autorun]

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_00C914C0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_00C917F8
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_00C90728
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then mov esp, ebp 10_2_00C94830
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then jmp 00C91A73h 10_2_00C919A0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then jmp 00C91A73h 10_2_00C919B0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_00C95B70

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49738 -> 199.193.7.228:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Source: Joe Sandbox View IP Address: 131.186.161.70 131.186.161.70
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49738 -> 199.193.7.228:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49739 version: TLS 1.0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Pictures.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 94.197.2.0.in-addr.arpa
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/HB
Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: LOGO AND PICTURES.exe, 00000009.00000003.459012991.0000000006ADF000.00000004.00000001.sdmp String found in binary or memory: http://crl.usertrusts
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: LOGO AND PICTURES.exe, 00000009.00000003.583245849.00000000092C1000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: LOGO AND PICTURES.exe, 00000009.00000003.583245849.00000000092C1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: LOGO AND PICTURES.exe, 00000009.00000003.583245849.00000000092C1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.280326164.0000000003651000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LOGO AND PICTURES.exe, 00000009.00000002.614076620.000000000348A000.00000004.00000001.sdmp String found in binary or memory: http://smtp.privateemail.com
Source: Pictures.exe String found in binary or memory: http://whatismyipaddress.com/
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000003.226742441.0000000001CAB000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe String found in binary or memory: http://www.nirsoft.net/
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
Source: LOGO AND PICTURES.exe, 00000009.00000002.611704602.0000000003299000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: LOGO AND PICTURES.exe, 00000009.00000002.611704602.0000000003299000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: LOGO AND PICTURES.exe, 00000009.00000002.611704602.0000000003299000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.74
Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
Source: Pictures.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.611791578.00000000032B4000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=
Source: LOGO AND PICTURES.exe, 00000009.00000002.615373407.0000000003515000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=3D84.17.52.74=0D=0A=
Source: LOGO AND PICTURES.exe, 00000009.00000002.612629984.00000000033B7000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=3D84.17.52.74=0D=0A=0D=0ADat=
Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp String found in binary or memory: https://www.geodatatool.com/en/?ip=84.17.52.74
Source: Pictures.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6240, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: Pictures.exe.8.dr, Form1.cs .Net Code: HookKeyboard
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Pictures.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO456724392021.exe
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO2345714382021.exe
Creates a DirectInput object (often for capturing keystrokes)
Source: LOGO AND PICTURES.exe, 00000009.00000002.608636145.000000000151B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: 16.0.PO2345714382021.exe.5d0000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8E6E7EF7u002dAC19u002d4F3Fu002d8489u002d4F7AD84D7DAFu007d/E4F05C4Eu002d2007u002d4C5Fu002dB313u002d78ABE577C964.cs Large array initialization: .cctor: array initializer size 11976
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A254E6 NtResumeThread, 10_2_04A254E6
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A2543E NtQuerySystemInformation, 10_2_04A2543E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A2558E NtWriteVirtualMemory, 10_2_04A2558E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A253FA NtQuerySystemInformation, 10_2_04A253FA
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A25561 NtWriteVirtualMemory, 10_2_04A25561
Detected potential crypto function
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_01C5C4CC 0_2_01C5C4CC
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_01C5E463 0_2_01C5E463
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_01C5E470 0_2_01C5E470
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_01359754 9_2_01359754
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0135A3B8 9_2_0135A3B8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0135A3A9 9_2_0135A3A9
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0135A380 9_2_0135A380
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030CF22A 9_2_030CF22A
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030CD1D8 9_2_030CD1D8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030C0580 9_2_030C0580
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030CDAA8 9_2_030CDAA8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030CCE90 9_2_030CCE90
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030C10F8 9_2_030C10F8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030C1618 9_2_030C1618
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030C0BE0 9_2_030C0BE0
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_030C8A38 9_2_030C8A38
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032183A0 9_2_032183A0
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032141E8 9_2_032141E8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321E020 9_2_0321E020
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321F7D8 9_2_0321F7D8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032166E0 9_2_032166E0
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_03217A98 9_2_03217A98
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321E808 9_2_0321E808
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032178A8 9_2_032178A8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321EFF0 9_2_0321EFF0
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_03211C30 9_2_03211C30
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_03218390 9_2_03218390
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032141D8 9_2_032141D8
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321E011 9_2_0321E011
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321E01E 9_2_0321E01E
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321F778 9_2_0321F778
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321E7A7 9_2_0321E7A7
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032166D0 9_2_032166D0
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_032166DE 9_2_032166DE
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_03215F38 9_2_03215F38
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321EFE9 9_2_0321EFE9
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_00DB73C0 9_2_00DB73C0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0015D426 10_2_0015D426
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0015D523 10_2_0015D523
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0016D5AE 10_2_0016D5AE
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00167646 10_2_00167646
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001929BE 10_2_001929BE
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00196AF4 10_2_00196AF4
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001BABFC 10_2_001BABFC
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001B3C4D 10_2_001B3C4D
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001B3CBE 10_2_001B3CBE
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0015ED03 10_2_0015ED03
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001B3D2F 10_2_001B3D2F
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001B3DC0 10_2_001B3DC0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0015CF92 10_2_0015CF92
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0016AFA6 10_2_0016AFA6
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00C96048 10_2_00C96048
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00C95758 10_2_00C95758
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00C98710 10_2_00C98710
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00C91DA8 10_2_00C91DA8
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00C97088 10_2_00C97088
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_00C97098 10_2_00C97098
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0018C7BC 10_2_0018C7BC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: String function: 0019BA9D appears 35 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2184
PE file contains strange resources
Source: Pictures.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pictures.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pictures.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.314008888.0000000008070000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.315076330.0000000008220000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.314382538.00000000080D0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.314382538.00000000080D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.300376997.0000000003850000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.300352400.0000000003720000.00000002.00000001.sdmp Binary or memory string: originalfilename vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.300352400.0000000003720000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs B6LNCKjOGt5EmFQ.exe
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs B6LNCKjOGt5EmFQ.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: security.dll
Uses 32bit PE files
Source: B6LNCKjOGt5EmFQ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: B6LNCKjOGt5EmFQ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TcVfsyyjYuQ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Pictures.exe.8.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Pictures.exe.8.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Pictures.exe.8.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Pictures.exe.8.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: Pictures.exe.8.dr, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@25/14@49/5
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A24E52 AdjustTokenPrivileges, 10_2_04A24E52
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A24E1B AdjustTokenPrivileges, 10_2_04A24E1B
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Mutant created: \Sessions\1\BaseNamedObjects\WtsosTEBOBiSalvAHUcave
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp Jump to behavior
Source: B6LNCKjOGt5EmFQ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: B6LNCKjOGt5EmFQ.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File read: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe 'C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe {path}
Source: unknown Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2184
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp' Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: B6LNCKjOGt5EmFQ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: B6LNCKjOGt5EmFQ.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: B6LNCKjOGt5EmFQ.exe Static file information: File size 1891328 > 1048576
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: B6LNCKjOGt5EmFQ.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1cd000
Source: B6LNCKjOGt5EmFQ.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 0000000A.00000002.325931485.000000000093D000.00000004.00000020.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, LOGO AND PICTURES.exe
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.604546258.0000000000DB2000.00000002.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Pictures.exe.8.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.8.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.8.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.8.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_00FE4DDA push ebx; retf 0_2_00FE4DDB
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_00FE2ECC push 205A0B4Ch; retf 0_2_00FE2ED1
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_00FE6F30 push ecx; iretd 0_2_00FE704E
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_00FE5630 push ss; retf 0_2_00FE5631
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 0_2_00FE6413 push ds; iretd 0_2_00FE6428
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 7_2_00516413 push ds; iretd 7_2_00516428
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 7_2_00515630 push ss; retf 7_2_00515631
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 7_2_00516F30 push ecx; iretd 7_2_0051704E
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 7_2_00514DDA push ebx; retf 7_2_00514DDB
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 7_2_00512ECC push 205A0B4Ch; retf 7_2_00512ED1
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 8_2_00AC2ECC push 205A0B4Ch; retf 8_2_00AC2ED1
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 8_2_00AC4DDA push ebx; retf 8_2_00AC4DDB
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 8_2_00AC5630 push ss; retf 8_2_00AC5631
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 8_2_00AC6F30 push ecx; iretd 8_2_00AC704E
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Code function: 8_2_00AC6413 push ds; iretd 8_2_00AC6428
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_0321C471 push es; ret 9_2_0321C486
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001C0712 push eax; ret 10_2_001C0726
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_001C0712 push eax; ret 10_2_001C074E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0019BA9D push eax; ret 10_2_0019BAB1
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_0019BA9D push eax; ret 10_2_0019BAD9
Source: initial sample Static PE information: section name: .text entropy: 7.9172695107
Source: initial sample Static PE information: section name: .text entropy: 7.9172695107

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Jump to dropped file
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Jump to dropped file
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Jump to dropped file
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File created: C:\Users\user\AppData\Local\Temp\Pictures.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.280603529.000000000369E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Function Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,threadDelayed
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: GetAdaptersInfo, 10_2_04A22D72
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: GetAdaptersInfo, 10_2_04A22D4A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Window / User API: threadDelayed 1362 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Window / User API: threadDelayed 8011 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Window / User API: threadDelayed 3259
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Window / User API: threadDelayed 6583
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Window / User API: threadDelayed 586
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe TID: 2588 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe TID: 2588 Thread sleep time: -95000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe TID: 5916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -197656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -197438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97391s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -194062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96813s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97938s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97828s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -97156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 6916 Thread sleep time: -96688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6360 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6708 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6712 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6720 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 7144 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 3920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 3920 Thread sleep time: -200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 3920 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe TID: 5616 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 7048 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 7048 Thread sleep time: -3090000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 7048 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 7048 Thread sleep time: -39906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 7048 Thread sleep time: -39876s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: VMware
Source: LOGO AND PICTURES.exe, 00000009.00000003.517546136.000000000489B000.00000004.00000001.sdmp Binary or memory string: urrvPvzm3HwXvz1NTwLxXNfnvExFnrNIx7UVm/SmCD+FCHqemutVR/rFgT0wki9LPwg/
Source: LOGO AND PICTURES.exe, 00000009.00000002.616596730.00000000042BB000.00000004.00000001.sdmp Binary or memory string: 5kJqdYbP21Rz2ptUM/x1qh7GFdJhiEB8hXnJNFU+GVEqzwoQhfmh2C9IQlQEMUDAfUYS
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: vmware
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: LOGO AND PICTURES.exe, 00000009.00000002.616596730.00000000042BB000.00000004.00000001.sdmp Binary or memory string: fGg1mg3xoMngajQe6hGFSjiakAtVKJKH03ElOPVYoYRfwjC6jpmhdA54fgS3dC5Uyynp
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: VMware
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: LOGO AND PICTURES.exe, 00000009.00000003.517546136.000000000489B000.00000004.00000001.sdmp Binary or memory string: /ggrd5oGq/eeB+sMqIUNhgFsPAZg07EA648E+MdwgDWHGNbGZeuOQEaRKAT4+5AGWOOZ
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.282531714.0000000003AD7000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: LOGO AND PICTURES.exe, 00000009.00000003.517546136.000000000489B000.00000004.00000001.sdmp Binary or memory string: c6+yJD9ToI4EDZ/YK22zNFx6n1EdIvMQeMutryjDZdN2xTZa3ITFDcse9N7K29CuP/2N
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Code function: 9_2_03211C30 LdrInitializeThunk,KiUserExceptionDispatcher, 9_2_03211C30
Enables debug privileges
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: Pictures.exe.8.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Pictures.exe.8.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.0.Pictures.exe.150000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.Pictures.exe.150000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 16.0.PO2345714382021.exe.5d0000.0.unpack, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp' Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Process created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2184 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: LOGO AND PICTURES.exe, 00000009.00000002.610812522.0000000001C70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: LOGO AND PICTURES.exe, 00000009.00000002.610812522.0000000001C70000.00000002.00000001.sdmp Binary or memory string: Progman
Source: LOGO AND PICTURES.exe, 00000009.00000002.610812522.0000000001C70000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: LOGO AND PICTURES.exe, 00000009.00000002.614076620.000000000348A000.00000004.00000001.sdmp Binary or memory string: Program ManagerxQT

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Users\user\AppData\Local\Temp\PO456724392021.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.283351079.000000000134C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.289168879.0000000003E3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.287788541.00000000044BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.278201176.000000000138F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.285048922.0000000004451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.284660390.0000000000AB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.278060140.0000000001324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.287649744.00000000005D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.287852153.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612763581.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.604664953.0000000000AB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.286730546.00000000044BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612958072.0000000002DD2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, type: DROPPED
Source: Yara match File source: 12.0.PO456724392021.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.PO2345714382021.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.PO456724392021.exe.ab0000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6240, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.329671193.0000000003921000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.301913637.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6240, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000009.00000002.604546258.0000000000DB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.281199501.0000000000DB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LOGO AND PICTURES.exe PID: 6208, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, type: DROPPED
Source: Yara match File source: 9.0.LOGO AND PICTURES.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.LOGO AND PICTURES.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal WLAN passwords
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000014.00000002.308380033.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.329671193.0000000003921000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6240, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612763581.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612958072.0000000002DD2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LOGO AND PICTURES.exe PID: 6208, type: MEMORY

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Pictures.exe String found in binary or memory: HawkEyeKeylogger
Source: Pictures.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.283351079.000000000134C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.289168879.0000000003E3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.287788541.00000000044BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.278201176.000000000138F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.285048922.0000000004451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.284660390.0000000000AB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.278060140.0000000001324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.287649744.00000000005D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.287852153.0000000003DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612763581.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.604664953.0000000000AB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.286730546.00000000044BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612958072.0000000002DD2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, type: DROPPED
Source: Yara match File source: 12.0.PO456724392021.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.PO2345714382021.exe.5d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.PO456724392021.exe.ab0000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 6240, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000009.00000002.604546258.0000000000DB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.281199501.0000000000DB2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LOGO AND PICTURES.exe PID: 6208, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
Source: Yara match File source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, type: DROPPED
Source: Yara match File source: 9.0.LOGO AND PICTURES.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.LOGO AND PICTURES.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A20A8E listen, 10_2_04A20A8E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A20E9E bind, 10_2_04A20E9E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A20E6B bind, 10_2_04A20E6B
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 10_2_04A20A50 listen, 10_2_04A20A50
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339499 Sample: B6LNCKjOGt5EmFQ.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 22 other signatures 2->83 9 B6LNCKjOGt5EmFQ.exe 6 2->9         started        process3 file4 43 C:\Users\user\AppData\...\TcVfsyyjYuQ.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\tmpDAC4.tmp, XML 9->45 dropped 47 C:\Users\user\...\B6LNCKjOGt5EmFQ.exe.log, ASCII 9->47 dropped 12 B6LNCKjOGt5EmFQ.exe 5 9->12         started        16 schtasks.exe 1 9->16         started        18 B6LNCKjOGt5EmFQ.exe 9->18         started        process5 dnsIp6 69 192.168.2.1 unknown unknown 12->69 49 C:\Users\user\AppData\Local\...\Pictures.exe, PE32 12->49 dropped 51 C:\Users\user\AppData\...\PO456724392021.exe, PE32 12->51 dropped 53 C:\Users\user\AppData\...\PO2345714382021.exe, PE32 12->53 dropped 55 C:\Users\user\...\LOGO AND PICTURES.exe, PE32 12->55 dropped 20 Pictures.exe 15 6 12->20         started        24 PO2345714382021.exe 12->24         started        26 PO456724392021.exe 12->26         started        28 LOGO AND PICTURES.exe 14 5 12->28         started        30 conhost.exe 16->30         started        file7 process8 dnsIp9 57 94.197.2.0.in-addr.arpa 20->57 59 smtp.privateemail.com 199.193.7.228, 49738, 49744, 49745 NAMECHEAP-NETUS United States 20->59 61 whatismyipaddress.com 104.16.154.36, 49731, 80 CLOUDFLARENETUS United States 20->61 85 Antivirus detection for dropped file 20->85 87 Machine Learning detection for dropped file 20->87 89 Changes the view of files in windows explorer (hidden files and folders) 20->89 105 4 other signatures 20->105 32 vbc.exe 20->32         started        35 vbc.exe 20->35         started        37 dw20.exe 20->37         started        91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->91 93 Tries to steal Mail credentials (via file access) 24->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->95 107 2 other signatures 24->107 97 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->97 99 Installs a global keyboard hook 26->99 63 checkip.dyndns.org 28->63 65 checkip.dyndns.com 131.186.161.70, 49733, 49737, 49740 DYNDNSUS United States 28->65 67 freegeoip.app 172.67.188.154, 443, 49739 CLOUDFLARENETUS United States 28->67 101 Tries to harvest and steal browser information (history, passwords, etc) 28->101 103 Tries to harvest and steal WLAN passwords 28->103 39 netsh.exe 28->39         started        signatures10 process11 signatures12 71 Tries to steal Instant Messenger accounts or passwords 32->71 73 Tries to steal Mail credentials (via file access) 32->73 75 Tries to harvest and steal browser information (history, passwords, etc) 35->75 41 conhost.exe 39->41         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.154.36
unknown United States
13335 CLOUDFLARENETUS false
131.186.161.70
unknown United States
33517 DYNDNSUS false
199.193.7.228
unknown United States
22612 NAMECHEAP-NETUS false
172.67.188.154
unknown United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.154.36 true
freegeoip.app 172.67.188.154 true
smtp.privateemail.com 199.193.7.228 true
checkip.dyndns.com 131.186.161.70 true
checkip.dyndns.org unknown unknown
94.197.2.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
unknown
http://whatismyipaddress.com/ false
    high