Analysis Report hkaP5RPCGNDVq3Z.exe

Overview

General Information

Sample Name: hkaP5RPCGNDVq3Z.exe
Analysis ID: 339931
MD5: 07556e1af1f43f7dd42d32d188187e4a
SHA1: 42110c04869726694a2537e05f987039cd829ac0
SHA256: a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
Tags: exeHawkEye

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Avira: detection malicious, Label: TR/Redcap.jajcu
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: hkaP5RPCGNDVq3Z.exe.5908.3.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: PO456724392021.exe.2208.8.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "VjouxsS", "URL: ": "http://YfWA3aJjc76ztEimE.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5876", "Password: ": "Nd6zB", "From: ": "sales01@seedwellresources.xyz"}
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.Pictures.exe.470000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.0.Pictures.exe.470000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 7.2.Pictures.exe.470000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 7.2.Pictures.exe.470000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 6.0.LOGO AND PICTURES.exe.880000.0.unpack Avira: Label: TR/Redcap.jajcu

Compliance:

barindex
Uses 32bit PE files
Source: hkaP5RPCGNDVq3Z.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49732 version: TLS 1.0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: hkaP5RPCGNDVq3Z.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277045507.0000000002840000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbdN source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
Source: Binary string: mscorlib.pdbz\AppData\Local\Temp\Pictures.exe source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbln source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
Source: Binary string: C:\Windows\mscorlib.pdbd source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbH source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
Source: Binary string: mscorrc.pdb source: Pictures.exe, 00000007.00000002.280912855.0000000004DD0000.00000002.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr

Spreading:

barindex
May infect USB drives
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Pictures.exe Binary or memory string: [autorun]
Source: Pictures.exe Binary or memory string: autorun.inf
Source: Pictures.exe.3.dr Binary or memory string: autorun.inf
Source: Pictures.exe.3.dr Binary or memory string: [autorun]

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0704DAB0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 7_2_04CB14C0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 7_2_04CB17F8
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then jmp 04CB1A73h 7_2_04CB19A0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then jmp 04CB1A73h 7_2_04CB19B0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 7_2_04CB5B70
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 7_2_04CB0728
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 7_2_04CB603A
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 4x nop then mov esp, ebp 7_2_04CB4830

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://YfWA3aJjc76ztEimE.com
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49739 -> 199.193.7.228:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49739 -> 199.193.7.228:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49732 version: TLS 1.0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0259A09A recv, 7_2_0259A09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Pictures.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 169.241.9.0.in-addr.arpa
Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp String found in binary or memory: http://YGApDP.com
Source: PO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.624818191.0000000003604000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.624749656.00000000035FB000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.622310400.000000000335F000.00000004.00000001.sdmp String found in binary or memory: http://YfWA3aJjc76ztEimE.com
Source: LOGO AND PICTURES.exe, 00000006.00000003.367655934.00000000065A3000.00000004.00000001.sdmp String found in binary or memory: http://crl.co
Source: LOGO AND PICTURES.exe, 00000006.00000003.367607117.00000000065BA000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.619555570.0000000001629000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: LOGO AND PICTURES.exe, 00000006.00000003.367635858.0000000006598000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627337909.000000000660B000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000003.367607117.00000000065BA000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, PO456724392021.exe, 00000008.00000002.619555570.0000000001629000.00000004.00000020.sdmp, Pictures.exe.3.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: LOGO AND PICTURES.exe, 00000006.00000003.367705732.000000000656E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sect
Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmp String found in binary or memory: http://smtp.privateemail.com
Source: Pictures.exe, 00000007.00000002.277841679.0000000002BDD000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Pictures.exe String found in binary or memory: http://whatismyipaddress.com/
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Pictures.exe.3.dr String found in binary or memory: http://www.nirsoft.net/
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Pictures.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Pictures.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, PO456724392021.exe, PO2345714382021.exe, 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, PO2345714382021.exe.3.dr String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: Pictures.exe.3.dr, Form1.cs .Net Code: HookKeyboard
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Pictures.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO456724392021.exe
Creates a DirectInput object (often for capturing keystrokes)
Source: PO456724392021.exe, 00000008.00000002.619065209.000000000159B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Detected potential crypto function
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_02A2C26C 0_2_02A2C26C
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_02A2E622 0_2_02A2E622
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_02A2E630 0_2_02A2E630
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_02A24558 0_2_02A24558
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_0704DAB0 0_2_0704DAB0
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_0704CAE8 0_2_0704CAE8
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_0704EC08 0_2_0704EC08
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_00742186 0_2_00742186
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 3_2_00682186 3_2_00682186
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0047D426 7_2_0047D426
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0047D523 7_2_0047D523
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0048D5AE 7_2_0048D5AE
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_00487646 7_2_00487646
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004B29BE 7_2_004B29BE
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004B6AF4 7_2_004B6AF4
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004DABFC 7_2_004DABFC
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004D3C4D 7_2_004D3C4D
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004D3CBE 7_2_004D3CBE
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0047ED03 7_2_0047ED03
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004D3D2F 7_2_004D3D2F
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004D3DC0 7_2_004D3DC0
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0047CF92 7_2_0047CF92
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_0048AFA6 7_2_0048AFA6
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04CB6048 7_2_04CB6048
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04CB5758 7_2_04CB5758
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04CB7088 7_2_04CB7088
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04CB7098 7_2_04CB7098
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04CB1D98 7_2_04CB1D98
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004AC7BC 7_2_004AC7BC
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_00E92296 8_2_00E92296
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_01309410 8_2_01309410
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_0130DA11 8_2_0130DA11
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_0130DE78 8_2_0130DE78
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_0130F190 8_2_0130F190
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_0130F04D 8_2_0130F04D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 9AE5EF3FD4FEEA105C1ED3F1E69FD4FA328E8F29F1937097280F7EEE7F8D749E
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 56BD25ACDB97CE17F8351B926C48A4F63E348C40F6C5913219B0745D99F6B31D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Pictures.exe 5207F3D079A52017E7977296C9EBA782D3D5EAE5ADEC94FA38ACDD88C184496D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: String function: 004BBA9D appears 35 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
PE file contains strange resources
Source: hkaP5RPCGNDVq3Z.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jcKKBKdU.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pictures.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pictures.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pictures.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: hkaP5RPCGNDVq3Z.exe Binary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278348508.0000000007640000.00000002.00000001.sdmp Binary or memory string: originalfilename vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278348508.0000000007640000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.279931962.0000000007890000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278131793.00000000075E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.280157361.0000000007900000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe Binary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266564778.0000000002A90000.00000002.00000001.sdmp Binary or memory string: originalfilename vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266564778.0000000002A90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266387872.0000000002A30000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs hkaP5RPCGNDVq3Z.exe
Source: hkaP5RPCGNDVq3Z.exe Binary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: security.dll
Uses 32bit PE files
Source: hkaP5RPCGNDVq3Z.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: hkaP5RPCGNDVq3Z.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jcKKBKdU.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Pictures.exe.3.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Pictures.exe.3.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Pictures.exe.3.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Pictures.exe.3.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: Pictures.exe.3.dr, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs Base64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/12@38/5
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04D34E52 AdjustTokenPrivileges, 7_2_04D34E52
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04D34E1B AdjustTokenPrivileges, 7_2_04D34E1B
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File created: C:\Users\user\AppData\Roaming\jcKKBKdU.exe Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Mutant created: \Sessions\1\BaseNamedObjects\yjyyHtOeJEQCUOCiFqHAwaA
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File created: C:\Users\user\AppData\Local\Temp\tmpEED.tmp Jump to behavior
Source: hkaP5RPCGNDVq3Z.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File read: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe 'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp' Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: hkaP5RPCGNDVq3Z.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: hkaP5RPCGNDVq3Z.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: hkaP5RPCGNDVq3Z.exe Static file information: File size 1664000 > 1048576
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: hkaP5RPCGNDVq3Z.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x191e00
Source: hkaP5RPCGNDVq3Z.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277045507.0000000002840000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbdN source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
Source: Binary string: mscorlib.pdbz\AppData\Local\Temp\Pictures.exe source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbln source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
Source: Binary string: C:\Windows\mscorlib.pdbd source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbH source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
Source: Binary string: mscorrc.pdb source: Pictures.exe, 00000007.00000002.280912855.0000000004DD0000.00000002.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: hkaP5RPCGNDVq3Z.exe, E?Lg????qv/?O?????uxR.cs .Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: jcKKBKdU.exe.0.dr, E?Lg????qv/?O?????uxR.cs .Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.hkaP5RPCGNDVq3Z.exe.740000.0.unpack, E?Lg????qv/?O?????uxR.cs .Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.hkaP5RPCGNDVq3Z.exe.740000.0.unpack, E?Lg????qv/?O?????uxR.cs .Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.3.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.3.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.3.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Pictures.exe.3.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.hkaP5RPCGNDVq3Z.exe.680000.0.unpack, E?Lg????qv/?O?????uxR.cs .Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.hkaP5RPCGNDVq3Z.exe.680000.1.unpack, E?Lg????qv/?O?????uxR.cs .Net Code: e?SVFxBz???qD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_02A27B10 push eax; retf 0_2_02A27B8D
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Code function: 0_2_07041718 pushfd ; retf 0_2_07041719
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004E0712 push eax; ret 7_2_004E0726
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004E0712 push eax; ret 7_2_004E074E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004BBA9D push eax; ret 7_2_004BBAB1
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_004BBA9D push eax; ret 7_2_004BBAD9
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_3_065B72F6 pushfd ; iretd 8_3_065B72F7
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_3_065B72F6 pushfd ; iretd 8_3_065B72F7
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Code function: 8_2_013060F0 pushfd ; retf 8_2_013060FD
Source: initial sample Static PE information: section name: .text entropy: 7.98345662423
Source: initial sample Static PE information: section name: .text entropy: 7.98345662423

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Jump to dropped file
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Jump to dropped file
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File created: C:\Users\user\AppData\Roaming\jcKKBKdU.exe Jump to dropped file
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File created: C:\Users\user\AppData\Local\Temp\Pictures.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5552, type: MEMORY
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Function Chain: threadResumed,threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Function Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadCreated,memAlloc,threadResumed
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: GetAdaptersInfo, 7_2_04D32D72
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: GetAdaptersInfo, 7_2_04D32D4A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Window / User API: threadDelayed 3269 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Window / User API: threadDelayed 6245 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Window / User API: threadDelayed 4164
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Window / User API: threadDelayed 5636
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Window / User API: threadDelayed 773
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe TID: 4848 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe TID: 4848 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe TID: 1304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -199718s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -197936s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -97078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -96562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -94890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -94750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe TID: 5280 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 5848 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6324 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6328 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe TID: 6340 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe TID: 6856 Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524 Thread sleep time: -3060000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe TID: 6524 Thread sleep time: -59750s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.259794496.000000000306D000.00000004.00000001.sdmp Binary or memory string: VMware
Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: vmware
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO456724392021.exe, 00000008.00000002.627153787.00000000065A0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: LOGO AND PICTURES.exe, 00000006.00000003.443811407.0000000008E32000.00000004.00000001.sdmp Binary or memory string: jWWifTDVPPukP/KMU/nhPKY8U6xnKCiwD83HtQxjqW+sV+hDoYc2lhGfsVinfoyjYlYZ
Source: PO456724392021.exe, PO2345714382021.exe, 00000009.00000003.361527643.0000000000835000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.259794496.000000000306D000.00000004.00000001.sdmp Binary or memory string: VMware
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: LOGO AND PICTURES.exe, 00000006.00000003.442108883.00000000041CD000.00000004.00000001.sdmp Binary or memory string: A5uYgwCE/KsJwDhEVB+Lvb5DR+oNYibtAAKIPTVMci8OG6d3wPNU1AQgluOIP8GTfpqa
Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: Pictures.exe, 00000007.00000002.285191121.0000000006A60000.00000002.00000001.sdmp, PO456724392021.exe, 00000008.00000002.626990308.0000000006340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04CB77F0 LdrInitializeThunk, 7_2_04CB77F0
Enables debug privileges
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: Pictures.exe.3.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Pictures.exe.3.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.0.Pictures.exe.470000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.2.Pictures.exe.470000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Memory written: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp' Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\Pictures.exe 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\PO456724392021.exe 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Process created: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100 Jump to behavior
Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PO456724392021.exe, 00000008.00000002.620396813.0000000001C30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Users\user\AppData\Local\Temp\PO456724392021.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
AV process strings found (often used to terminate AV products)
Source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmp Binary or memory string: r\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.261043420.0000000000DBC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.261983479.000000000406E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261860544.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264379500.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.614250246.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.255977838.0000000000D94000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO2345714382021.exe PID: 5880, type: MEMORY
Source: Yara match File source: Process Memory Space: PO456724392021.exe PID: 2208, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, type: DROPPED
Source: Yara match File source: 8.0.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.PO2345714382021.exe.a0000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.280377660.0000000003B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LOGO AND PICTURES.exe PID: 5872, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, type: DROPPED
Source: Yara match File source: 6.0.LOGO AND PICTURES.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal WLAN passwords
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.280377660.0000000003B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO456724392021.exe PID: 2208, type: MEMORY

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Pictures.exe String found in binary or memory: HawkEyeKeylogger
Source: Pictures.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Pictures.exe, 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9ar
Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9ar@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9ar@
Source: Pictures.exe.3.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Pictures.exe.3.dr String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Pictures.exe.3.dr String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Pictures.exe.3.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.261043420.0000000000DBC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.261983479.000000000406E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.261860544.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264379500.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.614250246.0000000000E92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.255977838.0000000000D94000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO2345714382021.exe PID: 5880, type: MEMORY
Source: Yara match File source: Process Memory Space: PO456724392021.exe PID: 2208, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe, type: DROPPED
Source: Yara match File source: 8.0.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PO456724392021.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.PO2345714382021.exe.a0000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
Source: Yara match File source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LOGO AND PICTURES.exe PID: 5872, type: MEMORY
Source: Yara match File source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, type: DROPPED
Source: Yara match File source: 6.0.LOGO AND PICTURES.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04D30E9E bind, 7_2_04D30E9E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04D30A8E listen, 7_2_04D30A8E
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04D30A50 listen, 7_2_04D30A50
Source: C:\Users\user\AppData\Local\Temp\Pictures.exe Code function: 7_2_04D30E6B bind, 7_2_04D30E6B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339931 Sample: hkaP5RPCGNDVq3Z.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 19 other signatures 2->64 9 hkaP5RPCGNDVq3Z.exe 6 2->9         started        process3 file4 36 C:\Users\user\AppData\Local\Temp\tmpEED.tmp, XML 9->36 dropped 38 C:\Users\user\AppData\Roaming\jcKKBKdU.exe, PE32 9->38 dropped 88 Injects a PE file into a foreign processes 9->88 13 hkaP5RPCGNDVq3Z.exe 5 9->13         started        16 schtasks.exe 1 9->16         started        signatures5 process6 file7 40 C:\Users\user\AppData\Local\...\Pictures.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\...\PO2345714382021.exe, PE32 13->42 dropped 44 C:\Users\user\...\LOGO AND PICTURES.exe, PE32 13->44 dropped 18 PO2345714382021.exe 13->18         started        22 PO456724392021.exe 13->22         started        24 Pictures.exe 15 6 13->24         started        26 LOGO AND PICTURES.exe 14 5 13->26         started        28 conhost.exe 16->28         started        process8 dnsIp9 66 Antivirus detection for dropped file 18->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->68 70 Tries to steal Mail credentials (via file access) 18->70 86 2 other signatures 18->86 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->74 76 Installs a global keyboard hook 22->76 46 169.241.9.0.in-addr.arpa 24->46 48 whatismyipaddress.com 104.16.155.36, 49728, 80 CLOUDFLARENETUS United States 24->48 50 192.168.2.1 unknown unknown 24->50 78 Machine Learning detection for dropped file 24->78 80 Changes the view of files in windows explorer (hidden files and folders) 24->80 30 dw20.exe 24->30         started        52 checkip.dyndns.org 26->52 54 smtp.privateemail.com 199.193.7.228, 49739, 49741, 49742 NAMECHEAP-NETUS United States 26->54 56 2 other IPs or domains 26->56 82 Tries to harvest and steal browser information (history, passwords, etc) 26->82 84 Tries to harvest and steal WLAN passwords 26->84 32 netsh.exe 26->32         started        signatures10 process11 process12 34 conhost.exe 32->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.155.36
 unknown United States
13335 CLOUDFLARENETUS false
162.88.193.70
 unknown United States
33517 DYNDNSUS false
104.21.19.200
 unknown United States
13335 CLOUDFLARENETUS false
199.193.7.228
 unknown United States
22612 NAMECHEAP-NETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
freegeoip.app 104.21.19.200 true
smtp.privateemail.com 199.193.7.228 true
checkip.dyndns.com 162.88.193.70 true
169.241.9.0.in-addr.arpa unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
 unknown
http://whatismyipaddress.com/ false
    		high
    http://YfWA3aJjc76ztEimE.com true
    • Avira URL Cloud: safe
    		 unknown