Analysis Report company profile.scr

Overview

General Information

Sample Name:	company profile.scr (renamed file extension from scr to exe)
Analysis ID:	342227
MD5:	02f3eef9da2ef90d0cf59bfaca176886
SHA1:	6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
SHA256:	76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
Tags:	NanoCoreRATscr
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: company profile.exe.6080.6.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["105.112.102.172"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: company profile.exe	Virustotal: Detection: 33%			Perma Link
Source: company profile.exe	ReversingLabs: Detection: 37%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: company profile.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 25.2.company profile.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.company profile.exe.6840000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.company profile.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: company profile.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: company profile.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_03341670
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_0334FD48
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_0334FEB8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_0334FEB8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_03341590
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_033415D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	1_2_059CD750
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	1_2_059CD748
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	1_2_059CFF56
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	1_2_059CFF60
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_052FD74B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_052FD750
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	11_2_052FFF60
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	11_2_052FFF57

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 105.112.102.172

Uses dynamic DNS services

Source: unknown	DNS query: name: kcfresh.duckdns.org
Source: unknown	DNS query: name: kcfresh.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 185.140.53.227:5050
Source: global traffic	TCP traffic: 192.168.2.3:49721 -> 105.112.102.172:5050

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: Joe Sandbox View	ASN Name: VNL1-ASNG VNL1-ASNG

Source: unknown

DNS traffic detected: queries for: kcfresh.duckdns.org

Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: company profile.exe, 00000001.00000002.252392608.0000000003407000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.309406249.0000000002D27000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: company profile.exe, 0000000B.00000003.280780605.00000000035D3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/experimentDataSet.xsd
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

PE file contains section with special chars

Source: company profile.exe	Static PE information: section name: EMP;sb
Source: UnShSbgF.exe.1.dr	Static PE information: section name: EMP;sb

PE file has nameless sections

Source: company profile.exe	Static PE information: section name:
Source: UnShSbgF.exe.1.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342B48	1_2_03342B48
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346B4A	1_2_03346B4A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334BA20	1_2_0334BA20
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03340512	1_2_03340512
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334355A	1_2_0334355A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03344DA8	1_2_03344DA8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342410	1_2_03342410
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334B4D0	1_2_0334B4D0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342379	1_2_03342379
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342FF8	1_2_03342FF8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345E20	1_2_03345E20
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345E10	1_2_03345E10
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033452E0	1_2_033452E0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033466E0	1_2_033466E0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033452D0	1_2_033452D0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033466D1	1_2_033466D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346932	1_2_03346932
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346940	1_2_03346940
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03341590	1_2_03341590
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345582	1_2_03345582
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033475F4	1_2_033475F4
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033415D1	1_2_033415D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334AC10	1_2_0334AC10
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346C06	1_2_03346C06
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334500A	1_2_0334500A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033464A8	1_2_033464A8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03341891	1_2_03341891
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346498	1_2_03346498
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334609A	1_2_0334609A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033448D2	1_2_033448D2
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CC72C	1_2_059CC72C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CCC98	1_2_059CCC98
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CAC70	1_2_059CAC70
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CAC6B	1_2_059CAC6B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059C9838	1_2_059C9838
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F016C	4_2_003F016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F0949	4_2_003F0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F09B7	4_2_003F09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003ECA09	4_2_003ECA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003ECA75	4_2_003ECA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F03B7	4_2_003F03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D016C	5_2_002D016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D0949	5_2_002D0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D09B7	5_2_002D09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002CCA09	5_2_002CCA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002CCA75	5_2_002CCA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D03B7	5_2_002D03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB09B7	6_2_00EB09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB016C	6_2_00EB016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB0949	6_2_00EB0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EACA75	6_2_00EACA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EACA09	6_2_00EACA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB03B7	6_2_00EB03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031AE471	6_2_031AE471
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031AE480	6_2_031AE480
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031ABBD4	6_2_031ABBD4
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_06C20040	6_2_06C20040
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FC72C	11_2_052FC72C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FAC6B	11_2_052FAC6B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FAC70	11_2_052FAC70
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FCCA3	11_2_052FCCA3
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F9838	11_2_052F9838
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B0949	22_2_004B0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B016C	22_2_004B016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B09B7	22_2_004B09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004ACA75	22_2_004ACA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004ACA09	22_2_004ACA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B03B7	22_2_004B03B7

PE file contains strange resources

Source: company profile.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UnShSbgF.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000001.00000002.257978885.00000000063B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs company profile.exe
Source: company profile.exe, 00000001.00000002.257978885.00000000063B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs company profile.exe
Source: company profile.exe, 00000001.00000002.257548044.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs company profile.exe
Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs company profile.exe
Source: company profile.exe, 00000001.00000000.214189125.0000000000FB8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000001.00000003.247183418.0000000003952000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs company profile.exe
Source: company profile.exe, 00000001.00000002.262266350.000000000D7C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000004.00000000.245747138.00000000003E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000005.00000000.247912364.00000000002C8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000006.00000002.587386894.0000000000EA8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.588949042.00000000015DA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs company profile.exe
Source: company profile.exe, 00000006.00000002.596906937.0000000006750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe, 00000006.00000002.596330468.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs company profile.exe
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 0000000B.00000002.312572551.00000000031EE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs company profile.exe
Source: company profile.exe, 0000000B.00000002.308481106.000000000107A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs company profile.exe
Source: company profile.exe, 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs company profile.exe
Source: company profile.exe, 0000000B.00000000.261152804.0000000000948000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 0000000B.00000002.315557540.0000000005CB0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs company profile.exe
Source: company profile.exe, 0000000B.00000002.315557540.0000000005CB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs company profile.exe
Source: company profile.exe, 0000000B.00000002.318131650.000000000CB20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe, 0000000B.00000002.314637005.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000016.00000002.302743728.00000000004A8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000017.00000002.304090131.00000000004C8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000018.00000002.305392852.00000000001E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.327797268.0000000000668000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe

Uses 32bit PE files

Source: company profile.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: company profile.exe	Static PE information: Section: EMP;sb ZLIB complexity 1.00031569693
Source: UnShSbgF.exe.1.dr	Static PE information: Section: EMP;sb ZLIB complexity 1.00031569693

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@25/7@16/3

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: C:\Users\user\Desktop\company profile.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0af7db9b-e643-4242-8d33-72a12cf49afa}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Local\Temp\tmp75B1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: company profile.exe, 00000001.00000003.236561919.0000000003CB3000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000003.280780605.00000000035D3000.00000004.00000001.sdmp

Binary or memory string: select * from PMS;select * from PMS where

Source: company profile.exe	Virustotal: Detection: 33%
Source: company profile.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\company profile.exe

File read: C:\Users\user\Desktop\company profile.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe 'C:\Users\user\Desktop\company profile.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe 'C:\Users\user\Desktop\company profile.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: company profile.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: company profile.exe

Static file information: File size 1499648 > 1048576

Source: company profile.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\company profile.exe	Unpacked PE file: 1.2.company profile.exe.ec0000.0.unpack EMP;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Users\user\Desktop\company profile.exe	Unpacked PE file: 11.2.company profile.exe.850000.0.unpack EMP;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

PE file contains sections with non-standard names

Source: company profile.exe	Static PE information: section name: EMP;sb
Source: company profile.exe	Static PE information: section name:
Source: UnShSbgF.exe.1.dr	Static PE information: section name: EMP;sb
Source: UnShSbgF.exe.1.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1A58E push edx; retf	1_2_00F1A5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1BC3D push cs; retf	1_2_00F1BC40
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1A612 push edx; retf	1_2_00F1A5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033437C3 push edx; retf	1_2_033437C5
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059C800B push 5D5F5E59h; ret	1_2_059C8003
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F402E push esi; retn 0003h	4_2_003F4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F374E push es; retf	4_2_003F375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D402E push esi; retn 0003h	5_2_002D4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D374E push es; retf	5_2_002D375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB402E push esi; retn 0003h	6_2_00EB4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB374E push es; retf	6_2_00EB375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008AA58E push edx; retf	11_2_008AA5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008AA612 push edx; retf	11_2_008AA5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008ABC3D push cs; retf	11_2_008ABC40
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F0580 push edi; retf	11_2_052F0586
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F043B push esp; retf	11_2_052F0442
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F0439 push esp; retf	11_2_052F043A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FF138 push esp; retf	11_2_052FF139
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F6FE3 pushfd ; retf	11_2_052F6FEA
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F6FDF pushfd ; retf	11_2_052F6FE2
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F1E2B pushad ; retf	11_2_052F1E32
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B402E push esi; retn 0003h	22_2_004B4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B374E push es; retf	22_2_004B375C

Source: initial sample	Static PE information: section name: EMP;sb entropy: 7.99980466465
Source: initial sample	Static PE information: section name: EMP;sb entropy: 7.99980466465

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\company profile.exe

File opened: C:\Users\user\Desktop\company profile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\company profile.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\company profile.exe	Window / User API: threadDelayed 4701	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: threadDelayed 4744	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: foregroundWindowGot 1245	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: foregroundWindowGot 413	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\company profile.exe TID: 2396	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5328	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5856	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: company profile.exe, 00000006.00000002.589235943.000000000167D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\company profile.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\company profile.exe

Code function: 1_2_03341670 CheckRemoteDebuggerPresent,

1_2_03341670

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior

Source: company profile.exe, 00000006.00000002.597562460.00000000071ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: company profile.exe, 00000006.00000002.591492562.000000000330E000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa&l
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: company profile.exe, 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: company profile.exe, 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.227	unknown	Sweden		209623	DAVID_CRAIGGG	true
105.112.102.172	unknown	Nigeria		36873	VNL1-ASNG	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
kcfresh.duckdns.org	185.140.53.227	true
kcfresh.ddns.net	105.112.102.172	true

AV Detection:

Found malware configuration

Source: company profile.exe.6080.6.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["105.112.102.172"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: company profile.exe	Virustotal: Detection: 33%			Perma Link
Source: company profile.exe	ReversingLabs: Detection: 37%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: company profile.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 25.2.company profile.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.company profile.exe.6840000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.company profile.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: company profile.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: company profile.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_03341670
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_0334FD48
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_0334FEB8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_0334FEB8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_03341590
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	1_2_033415D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	1_2_059CD750
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	1_2_059CD748
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	1_2_059CFF56
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	1_2_059CFF60
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_052FD74B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_052FD750
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	11_2_052FFF60
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4x nop then xor edx, edx	11_2_052FFF57

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 105.112.102.172

Uses dynamic DNS services

Source: unknown	DNS query: name: kcfresh.duckdns.org
Source: unknown	DNS query: name: kcfresh.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 185.140.53.227:5050
Source: global traffic	TCP traffic: 192.168.2.3:49721 -> 105.112.102.172:5050

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: Joe Sandbox View	ASN Name: VNL1-ASNG VNL1-ASNG

Source: unknown

DNS traffic detected: queries for: kcfresh.duckdns.org

Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: company profile.exe, 00000001.00000002.252392608.0000000003407000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.309406249.0000000002D27000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: company profile.exe, 0000000B.00000003.280780605.00000000035D3000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/experimentDataSet.xsd
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: company profile.exe, 00000001.00000002.261375523.000000000CE02000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.317231994.000000000B520000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

PE file contains section with special chars

Source: company profile.exe	Static PE information: section name: EMP;sb
Source: UnShSbgF.exe.1.dr	Static PE information: section name: EMP;sb

PE file has nameless sections

Source: company profile.exe	Static PE information: section name:
Source: UnShSbgF.exe.1.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342B48	1_2_03342B48
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346B4A	1_2_03346B4A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334BA20	1_2_0334BA20
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03340512	1_2_03340512
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334355A	1_2_0334355A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03344DA8	1_2_03344DA8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342410	1_2_03342410
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334B4D0	1_2_0334B4D0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342379	1_2_03342379
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03342FF8	1_2_03342FF8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345E20	1_2_03345E20
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345E10	1_2_03345E10
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033452E0	1_2_033452E0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033466E0	1_2_033466E0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033452D0	1_2_033452D0
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033466D1	1_2_033466D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346932	1_2_03346932
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346940	1_2_03346940
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03341590	1_2_03341590
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03345582	1_2_03345582
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033475F4	1_2_033475F4
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033415D1	1_2_033415D1
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334AC10	1_2_0334AC10
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346C06	1_2_03346C06
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334500A	1_2_0334500A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033464A8	1_2_033464A8
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03341891	1_2_03341891
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_03346498	1_2_03346498
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_0334609A	1_2_0334609A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033448D2	1_2_033448D2
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CC72C	1_2_059CC72C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CCC98	1_2_059CCC98
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CAC70	1_2_059CAC70
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059CAC6B	1_2_059CAC6B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059C9838	1_2_059C9838
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F016C	4_2_003F016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F0949	4_2_003F0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F09B7	4_2_003F09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003ECA09	4_2_003ECA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003ECA75	4_2_003ECA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F03B7	4_2_003F03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D016C	5_2_002D016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D0949	5_2_002D0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D09B7	5_2_002D09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002CCA09	5_2_002CCA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002CCA75	5_2_002CCA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D03B7	5_2_002D03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB09B7	6_2_00EB09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB016C	6_2_00EB016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB0949	6_2_00EB0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EACA75	6_2_00EACA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EACA09	6_2_00EACA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB03B7	6_2_00EB03B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031AE471	6_2_031AE471
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031AE480	6_2_031AE480
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_031ABBD4	6_2_031ABBD4
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_06C20040	6_2_06C20040
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FC72C	11_2_052FC72C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FAC6B	11_2_052FAC6B
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FAC70	11_2_052FAC70
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FCCA3	11_2_052FCCA3
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F9838	11_2_052F9838
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B0949	22_2_004B0949
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B016C	22_2_004B016C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B09B7	22_2_004B09B7
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004ACA75	22_2_004ACA75
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004ACA09	22_2_004ACA09
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B03B7	22_2_004B03B7

PE file contains strange resources

Source: company profile.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UnShSbgF.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000001.00000002.257978885.00000000063B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs company profile.exe
Source: company profile.exe, 00000001.00000002.257978885.00000000063B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs company profile.exe
Source: company profile.exe, 00000001.00000002.257548044.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs company profile.exe
Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs company profile.exe
Source: company profile.exe, 00000001.00000000.214189125.0000000000FB8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000001.00000003.247183418.0000000003952000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs company profile.exe
Source: company profile.exe, 00000001.00000002.262266350.000000000D7C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000004.00000000.245747138.00000000003E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000005.00000000.247912364.00000000002C8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000006.00000002.587386894.0000000000EA8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000006.00000002.588949042.00000000015DA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs company profile.exe
Source: company profile.exe, 00000006.00000002.596906937.0000000006750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe, 00000006.00000002.596330468.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs company profile.exe
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 0000000B.00000002.312572551.00000000031EE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs company profile.exe
Source: company profile.exe, 0000000B.00000002.308481106.000000000107A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs company profile.exe
Source: company profile.exe, 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs company profile.exe
Source: company profile.exe, 0000000B.00000000.261152804.0000000000948000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 0000000B.00000002.315557540.0000000005CB0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs company profile.exe
Source: company profile.exe, 0000000B.00000002.315557540.0000000005CB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs company profile.exe
Source: company profile.exe, 0000000B.00000002.318131650.000000000CB20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs company profile.exe
Source: company profile.exe, 0000000B.00000002.314637005.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename vs company profile.exe
Source: company profile.exe, 00000016.00000002.302743728.00000000004A8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000017.00000002.304090131.00000000004C8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000018.00000002.305392852.00000000001E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs company profile.exe
Source: company profile.exe, 00000019.00000002.327797268.0000000000668000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe
Source: company profile.exe	Binary or memory string: OriginalFilename8v.exe. vs company profile.exe

Uses 32bit PE files

Source: company profile.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.596680972.0000000005BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.company profile.exe.5bd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: company profile.exe	Static PE information: Section: EMP;sb ZLIB complexity 1.00031569693
Source: UnShSbgF.exe.1.dr	Static PE information: Section: EMP;sb ZLIB complexity 1.00031569693

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@25/7@16/3

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: C:\Users\user\Desktop\company profile.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0af7db9b-e643-4242-8d33-72a12cf49afa}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Local\Temp\tmp75B1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: company profile.exe, 00000001.00000003.236561919.0000000003CB3000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000003.280780605.00000000035D3000.00000004.00000001.sdmp

Binary or memory string: select * from PMS;select * from PMS where

Source: company profile.exe	Virustotal: Detection: 33%
Source: company profile.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\company profile.exe

File read: C:\Users\user\Desktop\company profile.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe 'C:\Users\user\Desktop\company profile.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe 'C:\Users\user\Desktop\company profile.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\company profile.exe {path}
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: company profile.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: company profile.exe

Static file information: File size 1499648 > 1048576

Source: company profile.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\company profile.exe	Unpacked PE file: 1.2.company profile.exe.ec0000.0.unpack EMP;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
Source: C:\Users\user\Desktop\company profile.exe	Unpacked PE file: 11.2.company profile.exe.850000.0.unpack EMP;:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

.NET source code contains potential unpacker

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

PE file contains sections with non-standard names

Source: company profile.exe	Static PE information: section name: EMP;sb
Source: company profile.exe	Static PE information: section name:
Source: UnShSbgF.exe.1.dr	Static PE information: section name: EMP;sb
Source: UnShSbgF.exe.1.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1A58E push edx; retf	1_2_00F1A5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1BC3D push cs; retf	1_2_00F1BC40
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_00F1A612 push edx; retf	1_2_00F1A5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_033437C3 push edx; retf	1_2_033437C5
Source: C:\Users\user\Desktop\company profile.exe	Code function: 1_2_059C800B push 5D5F5E59h; ret	1_2_059C8003
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F402E push esi; retn 0003h	4_2_003F4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 4_2_003F374E push es; retf	4_2_003F375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D402E push esi; retn 0003h	5_2_002D4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 5_2_002D374E push es; retf	5_2_002D375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB402E push esi; retn 0003h	6_2_00EB4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 6_2_00EB374E push es; retf	6_2_00EB375C
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008AA58E push edx; retf	11_2_008AA5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008AA612 push edx; retf	11_2_008AA5AC
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_008ABC3D push cs; retf	11_2_008ABC40
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F0580 push edi; retf	11_2_052F0586
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F043B push esp; retf	11_2_052F0442
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F0439 push esp; retf	11_2_052F043A
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052FF138 push esp; retf	11_2_052FF139
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F6FE3 pushfd ; retf	11_2_052F6FEA
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F6FDF pushfd ; retf	11_2_052F6FE2
Source: C:\Users\user\Desktop\company profile.exe	Code function: 11_2_052F1E2B pushad ; retf	11_2_052F1E32
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B402E push esi; retn 0003h	22_2_004B4077
Source: C:\Users\user\Desktop\company profile.exe	Code function: 22_2_004B374E push es; retf	22_2_004B375C

Source: initial sample	Static PE information: section name: EMP;sb entropy: 7.99980466465
Source: initial sample	Static PE information: section name: EMP;sb entropy: 7.99980466465

Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.company profile.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 25.2.company profile.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\company profile.exe

File created: C:\Users\user\AppData\Roaming\UnShSbgF.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\company profile.exe

File opened: C:\Users\user\Desktop\company profile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 0000000B.00000002.309768585.0000000002DB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: company profile.exe, 00000001.00000002.252435267.000000000341D000.00000004.00000001.sdmp, company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\company profile.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\company profile.exe	Window / User API: threadDelayed 4701	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: threadDelayed 4744	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: foregroundWindowGot 1245	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Window / User API: foregroundWindowGot 413	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\company profile.exe TID: 2396	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5328	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5856	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: company profile.exe, 0000000B.00000002.311986136.0000000002FE2000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: company profile.exe, 00000006.00000002.589235943.000000000167D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: company profile.exe, 00000006.00000002.597580362.0000000007230000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\company profile.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\company profile.exe

Code function: 1_2_03341670 CheckRemoteDebuggerPresent,

1_2_03341670

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmp75B1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp132E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UnShSbgF' /XML 'C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Process created: C:\Users\user\Desktop\company profile.exe {path}	Jump to behavior

Source: company profile.exe, 00000006.00000002.597562460.00000000071ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: company profile.exe, 00000006.00000002.591492562.000000000330E000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa&l
Source: company profile.exe, 00000006.00000002.589576694.0000000001BE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Users\user\Desktop\company profile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\company profile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\company profile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: company profile.exe, 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: company profile.exe, 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: company profile.exe, 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.586154490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312703625.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.590173141.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.594725698.0000000004229000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.329006639.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253304124.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.312777066.0000000003D37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.328915349.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.253470598.0000000004415000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.327635694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.597017105.0000000006840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 4920, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 5960, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6456, type: MEMORY
Source: Yara match	File source: Process Memory Space: company profile.exe PID: 6080, type: MEMORY
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.6840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.company profile.exe.400000.0.unpack, type: UNPACKEDPE

ID:	342227
Product:	CloudBasic
Start time:	17:09:39
Start date:	20.01.2021
Sample:	company profile.scr
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	02f3eef9da2ef90d0cf59bfaca176886
SHA1:	6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
SHA256:	76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\company profile.exe.log	ASCII text, with CRLF line terminators	B666A4404B132B2BF6C04FBF848EB948	D2EFB3D43F8B8806544D3A47F7DAEE8534981739	7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
C:\Users\user\AppData\Local\Temp\tmp132E.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	4F99D40B064D2DF7C7D4C116C77F3D4A	7A3169F99997B406FEA127C0B9A7E8D6ACE00CA1	13EA833AE6E2760DE9D70F0B3AB442CCA6DF2240206120DAE783F66147778B30
C:\Users\user\AppData\Local\Temp\tmp75B1.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5D4EB8C36D9B89226BDC5ADB52FDDFC0	AF597C7A4A7C686AFFAF2482DB75417D5F92315D	93466395E1FD944F5ED9AFD1063E0B46CE6CA6F8CF5CE0E89BD2CE049862175F
C:\Users\user\AppData\Local\Temp\tmpCFD7.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5D4EB8C36D9B89226BDC5ADB52FDDFC0	AF597C7A4A7C686AFFAF2482DB75417D5F92315D	93466395E1FD944F5ED9AFD1063E0B46CE6CA6F8CF5CE0E89BD2CE049862175F
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with no line terminators	8B9C7557FD06FFDB6AB44F46DC5604D4	D1E1B759695E4473A8241ED6FD686B085DE6AC9B	B7BB0299B1B8D42CABBA97A91C9AB732DEBDE40B8D5CA84904C938AB443F3ABC
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	97913E49D175BDD85E9DF3F71519605F	B6D8C0E8D4888A71AE16529A5332A745D2F6E6FB	C46B23847096F56A5952D29B05027728B48DB4B1B98A804CBEF9B88659CD5D2B
C:\Users\user\AppData\Roaming\UnShSbgF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	02F3EEF9DA2EF90D0CF59BFACA176886	6BCA96158D72284A8B5A9E1FE01EB8504A1A05FF	76FFD919E86B374004BCBC276CB6E18BE4B63287D0CE6F7D9B1B756BFD79D47E

Analysis Report company profile.scr

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains