Analysis Report https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0

Overview

General Information

Sample URL: https://onedrive.live.com/download?cid=F9306F27ACC5AABA&resid=F9306F27ACC5AABA%21278&authkey=AEXuJUX0kEgNwa0
Analysis ID: 341895

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential browser exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\FxuoZREPj.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.2.RegSvcs.exe.6050000.5.unpack Avira: Label: TR/NanoCore.fadte
Source: 14.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: dbpdbvcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp
Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000001A.00000002.291671286.0000000005720000.00000002.00000001.sdmp
Source: Binary string: .pdb71USE source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.14.dr
Source: Binary string: vcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281971824.0000000005760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.473472471.0000000005D60000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291386372.0000000005120000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.291992470.00000000057D0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 02D5097Fh 4_2_02D502A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 02D5097Eh 4_2_02D502A8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_0520D8F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 4x nop then mov esp, ebp 14_2_05558917
Potential browser exploit detected (process start blacklist hit)
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Windows\SysWOW64\unarchiver.exe Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 194.5.98.120:58103
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 194.5.98.120:58103
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 194.5.98.120 ports 0,1,3,58103,5,8
Uses dynamic DNS services
Source: unknown DNS query: name: strongodss.ddns.net
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05672FE2 WSARecv, 14_2_05672FE2
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/experimentDataSet.xsd
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259181693.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259925336.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html(
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259181693.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/v
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259925336.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersm
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259679205.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerst
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259679205.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersz
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comam
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comion
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281721786.0000000005570000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como8
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn7
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnG
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257114831.0000000005580000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnW
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.256845249.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnv
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261814632.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261981799.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmG
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258413038.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comp
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.258338420.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.257491913.000000000559F000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com(
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261253439.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259111467.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de2
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261207771.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deO
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.259111467.000000000559C000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.dey
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.282117897.0000000005812000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: RegSvcs.exe, 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: 01 00 00 00 Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.5780000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.6040000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
PE file contains section with special chars
Source: FNYVlhLumPogrzL.exe.5.dr Static PE information: section name: }PT(h{>
Source: FxuoZREPj.exe.10.dr Static PE information: section name: }PT(h{>
PE file has nameless sections
Source: FNYVlhLumPogrzL.exe.5.dr Static PE information: section name:
Source: FxuoZREPj.exe.10.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0121ABEE NtQuerySystemInformation, 10_2_0121ABEE
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0121ABB3 NtQuerySystemInformation, 10_2_0121ABB3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05671572 NtSetInformationProcess, 14_2_05671572
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05671836 NtQuerySystemInformation, 14_2_05671836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05671541 NtSetInformationProcess, 14_2_05671541
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_056717FB NtQuerySystemInformation, 14_2_056717FB
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4_2_02D502A8 4_2_02D502A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4_2_02D50299 4_2_02D50299
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520B118 10_2_0520B118
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05203DA8 10_2_05203DA8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520D8F8 10_2_0520D8F8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05202660 10_2_05202660
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05201E68 10_2_05201E68
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05202EEA 10_2_05202EEA
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520ED28 10_2_0520ED28
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205D28 10_2_05205D28
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05200110 10_2_05200110
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205D18 10_2_05205D18
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05206178 10_2_05206178
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05203D45 10_2_05203D45
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05201DB8 10_2_05201DB8
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205580 10_2_05205580
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205590 10_2_05205590
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_052099F0 10_2_052099F0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205831 10_2_05205831
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520A060 10_2_0520A060
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05206C67 10_2_05206C67
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205B38 10_2_05205B38
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205B48 10_2_05205B48
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205FA0 10_2_05205FA0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05205F90 10_2_05205F90
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520AA40 10_2_0520AA40
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05201283 10_2_05201283
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_06082182 10_2_06082182
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_060821A6 10_2_060821A6
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_061D2E44 10_2_061D2E44
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_061D1380 10_2_061D1380
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_061D1BE0 10_2_061D1BE0
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_061D1BD0 10_2_061D1BD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_02E47ABE 14_2_02E47ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_0555B530 14_2_0555B530
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05553850 14_2_05553850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_055523A0 14_2_055523A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05552FA8 14_2_05552FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05559A68 14_2_05559A68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05558E68 14_2_05558E68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_0555306F 14_2_0555306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_0555A310 14_2_0555A310
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05559B2F 14_2_05559B2F
PE file contains strange resources
Source: FNYVlhLumPogrzL.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FxuoZREPj.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.473292400.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.473627286.0000000006040000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.5780000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.5780000.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.RegSvcs.exe.6040000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6040000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: FNYVlhLumPogrzL.exe.5.dr Static PE information: Section: }PT(h{> ZLIB complexity 1.00031377097
Source: FxuoZREPj.exe.10.dr Static PE information: Section: }PT(h{> ZLIB complexity 1.00031377097
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.262334538.000000000559C000.00000004.00000001.sdmp Binary or memory string: c.slnt
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.261981799.000000000559C000.00000004.00000001.sdmp Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
Source: FNYVlhLumPogrzL.exe, 0000000A.00000003.262028370.000000000559C000.00000004.00000001.sdmp Binary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
Source: classification engine Classification label: mal100.troj.evad.win@28/24@16/1
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0121A592 AdjustTokenPrivileges, 10_2_0121A592
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0121A55B AdjustTokenPrivileges, 10_2_0121A55B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_056713F6 AdjustTokenPrivileges, 14_2_056713F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_056713BF AdjustTokenPrivileges, 14_2_056713BF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4840:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4168:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Mutant created: \Sessions\1\BaseNamedObjects\PTXTiysVRkmEztU
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1180:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{572eb7a9-aedf-4b39-8669-f7563dab8a38}
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFC5EFD22772502ADF.TMP Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: select * from PMS;select * from PMS where
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5152 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: unknown Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5152 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path} Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: dbpdbvcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp
Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000001A.00000002.291671286.0000000005720000.00000002.00000001.sdmp
Source: Binary string: .pdb71USE source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.14.dr
Source: Binary string: vcs.pdb source: RegSvcs.exe, 0000000E.00000002.468630564.0000000003000000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281971824.0000000005760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.473472471.0000000005D60000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291386372.0000000005120000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.291992470.00000000057D0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Unpacked PE file: 10.2.FNYVlhLumPogrzL.exe.8c0000.0.unpack }PT(h{>:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
.NET source code contains potential unpacker
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
PE file contains sections with non-standard names
Source: FNYVlhLumPogrzL.exe.5.dr Static PE information: section name: }PT(h{>
Source: FNYVlhLumPogrzL.exe.5.dr Static PE information: section name:
Source: FxuoZREPj.exe.10.dr Static PE information: section name: }PT(h{>
Source: FxuoZREPj.exe.10.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0091D5F0 push edi; iretd 10_2_0091D621
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_01224F2D push esp; ret 10_2_01224F35
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520887A push es; retf 10_2_0520887B
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0520347C push edi; iretd 10_2_0520347D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_02E4ADA8 push cs; retf 14_2_02E4ADBF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_02E49D72 push 7802E4CBh; retf 14_2_02E49D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_02E4AD34 push cs; retf 14_2_02E4AD4B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_02E4AE1B push cs; retf 14_2_02E4AE33
Source: initial sample Static PE information: section name: }PT(h{> entropy: 7.99979160938
Source: initial sample Static PE information: section name: }PT(h{> entropy: 7.99979160938
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe File created: C:\Users\user\AppData\Roaming\FxuoZREPj.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 0000000A.00000002.277584166.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1KR[R
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLX1KR
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Window / User API: foregroundWindowGot 692 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5868 Thread sleep count: 194 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5868 Thread sleep time: -97000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe TID: 5388 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe TID: 1564 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6184 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_0567161A GetSystemInfo, 14_2_0567161A
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMware
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIX1kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1kr`R
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277461898.000000000309D000.00000004.00000001.sdmp Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: vmwareX1kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsX1kr"P
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.276452871.00000000010B2000.00000004.00000020.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware3YUN599EWin32_VideoControllerK6E3EGV8VideoController120060621000000.000000-0005627.786display.infMSBDA7FNXXYUPPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsGN93ZUV3
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: QEMUX1kr^R
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMware
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277334850.0000000003071000.00000004.00000001.sdmp Binary or memory string: VMWAREX1krMP
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMware|9kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277461898.000000000309D000.00000004.00000001.sdmp Binary or memory string: VMWAREX1kr
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.277461898.000000000309D000.00000004.00000001.sdmp Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMWARE|9kr
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.280276639.0000000003414000.00000004.00000001.sdmp Binary or memory string: VMware |9kr
Source: RegSvcs.exe, 0000000E.00000002.474066463.0000000006930000.00000002.00000001.sdmp, RegSvcs.exe, 00000017.00000002.291570681.0000000005180000.00000002.00000001.sdmp, dhcpmon.exe, 0000001A.00000002.292281119.0000000005830000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: RegSvcs.exe, 0000000E.00000002.467863584.0000000001384000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_0121A172 CheckRemoteDebuggerPresent, 10_2_0121A172
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: F81008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\TKK3637920031.jpeg.z' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FxuoZREPj' /XML 'C:\Users\user\AppData\Local\Temp\tmpE9ED.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path} Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7D78.tmp' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81FD.tmp' Jump to behavior
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: unarchiver.exe, 00000004.00000002.467686582.0000000001760000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.468229633.0000000001A20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vjk3yugy.hgt\FNYVlhLumPogrzL.exe Code function: 10_2_05441586 GetUserNameA, 10_2_05441586
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: FNYVlhLumPogrzL.exe, 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000E.00000002.470342259.0000000003351000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 0000000E.00000002.473649492.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.281072105.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.472189305.00000000043C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.466149209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.280831636.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4912, type: MEMORY
Source: Yara match File source: Process Memory Space: FNYVlhLumPogrzL.exe PID: 2208, type: MEMORY
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.6050000.5.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05672B26 bind, 14_2_05672B26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe Code function: 14_2_05672AF6 bind, 14_2_05672AF6
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341895 URL: https://onedrive.live.com/d... Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 67 strongodss.ddns.net 2->67 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Sigma detected: Scheduled temp file as task from temp location 2->89 91 12 other signatures 2->91 12 iexplore.exe 7 70 2->12         started        14 RegSvcs.exe 4 2->14         started        16 dhcpmon.exe 2->16         started        signatures3 process4 process5 18 unarchiver.exe 5 12->18         started        20 iexplore.exe 27 12->20         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        dnsIp6 27 cmd.exe 1 18->27         started        29 7za.exe 2 18->29         started        69 sn-files.fe.1drv.com 20->69 71 rptj2g.sn.files.1drv.com 20->71 73 onedrive.live.com 20->73 process7 file8 32 FNYVlhLumPogrzL.exe 6 27->32         started        36 conhost.exe 27->36         started        65 C:\Users\user\AppData\...\FNYVlhLumPogrzL.exe, PE32 29->65 dropped 38 conhost.exe 29->38         started        process9 file10 57 C:\Users\user\AppData\Roaming\FxuoZREPj.exe, PE32 32->57 dropped 59 C:\Users\user\AppData\Local\...\tmpE9ED.tmp, XML 32->59 dropped 77 Detected unpacking (changes PE section rights) 32->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->79 81 Machine Learning detection for dropped file 32->81 83 4 other signatures 32->83 40 RegSvcs.exe 1 14 32->40         started        45 schtasks.exe 1 32->45         started        signatures11 process12 dnsIp13 75 strongodss.ddns.net 194.5.98.120, 49731, 49734, 49735 DANILENKODE Netherlands 40->75 61 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 40->61 dropped 63 C:\Program Files (x86)\...\dhcpmon.exe, PE32 40->63 dropped 93 Protects its processes via BreakOnTermination flag 40->93 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->95 47 schtasks.exe 1 40->47         started        49 schtasks.exe 1 40->49         started        51 conhost.exe 45->51         started        file14 signatures15 process16 process17 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.120
 unknown Netherlands
208476 DANILENKODE true

Contacted Domains

Name IP Active
strongodss.ddns.net 194.5.98.120 true
onedrive.live.com unknown unknown
rptj2g.sn.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
0 true
    		low