Analysis Report 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe

Overview

General Information

Sample Name: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Analysis ID: 433010
MD5: 4df9b2c6531cde226bf1b0ae86d41162
SHA1: 9a42c49714905ea1e5f042a683fd80ecff10fc87
SHA256: 4714d68dbb9f9ac36425f2ec73ed434cf57407f36063c391e0bfbb9d0b96bbf9
Tags: exenjratRAT
Infos:

Most interesting Screenshot:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\Music\fullview.exe Avira: detection malicious, Label: HEUR/AGEN.1122310
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Avira: detection malicious, Label: HEUR/AGEN.1122310
Found malware configuration
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack Malware Configuration Extractor: Njrat {"Install Dir": "svchost.exe", "Install Name": "strangerstrek.duckdns.org", "Host": "True", "Port": "2090", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "Comienzo", "Version": "0.7.3"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\Music\fullview.exe ReversingLabs: Detection: 79%
Multi AV Scanner detection for submitted file
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Virustotal: Detection: 67% Perma Link
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe ReversingLabs: Detection: 79%
Yara detected Njrat
Source: Yara match File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\Music\fullview.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.2.fullview.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 18.2.fullview.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.fullview.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 18.0.fullview.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.fullview.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 11.2.fullview.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.684656632.00000000067A0000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.759339723.0000000006710000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818685449.0000000006D70000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.833000474.00000000065D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.833594288.0000000007010000.00000002.00000001.sdmp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49768 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49769 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49770 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49771 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49772 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49773 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49774 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49777 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49778 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49779 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49780 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49781 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49782 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49783 -> 192.169.69.25:2090
Source: Traffic Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49784 -> 192.169.69.25:2090
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: True
Uses dynamic DNS services
Source: unknown DNS query: name: strangerstrek.duckdns.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox View IP Address: 192.169.69.25 192.169.69.25
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WOWUS WOWUS
Source: svchost.exe, 00000009.00000002.751847611.00000231CFB00000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000002.751847611.00000231CFB00000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
Source: svchost.exe, 00000009.00000003.740002825.00000231CFB50000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z||.||3f037643-6aef-47de-81ac-01c99fe373ef||1152921505693535664||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.740002825.00000231CFB50000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-10T07:22:21.3909598Z||.||3f037643-6aef-47de-81ac-01c99fe373ef||1152921505693535664||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000009.00000003.731341981.00000231CFB81000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-09T08:40:24.6537940Z||.||70a39ee4-92a6-4b9a-9580-ae2703a9cc56||1152921505693564220||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-09T08:39:31.1120019Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000009.00000003.733581218.00000231CFB8A000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","Rx% equals www.facebook.com (Facebook)
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Watch this video to learn how to pay us https://www.youtube.com/watch?v=Ji9IwPId5UkQThis is not a joke. This is a ransomware}Ransomware: Couldn't send address. The stub has no BTC address equals www.youtube.com (Youtube)
Source: svchost.exe, 00000009.00000003.731322628.00000231CFB50000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-06-09T08:40:24.6537940Z||.||70a39ee4-92a6-4b9a-9580-ae2703a9cc56||1152921505693564220||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-06-09T08:39:31.1120019Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: unknown DNS traffic detected: queries for: strangerstrek.duckdns.org
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: fullview.exe, 0000000C.00000003.746795395.0000000005A4D000.00000004.00000001.sdmp, fullview.exe, 0000000C.00000003.746606206.0000000005A4D000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado
Source: fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp String found in binary or memory: http://ns.adob
Source: fullview.exe, 00000004.00000003.688463111.000000000542D000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c
Source: fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.co
Source: fullview.exe, 0000000C.00000003.811336680.0000000005A4D000.00000004.00000001.sdmp String found in binary or memory: http://ns.adom
Source: fullview.exe, 00000004.00000003.753222861.0000000005433000.00000004.00000001.sdmp, fullview.exe, 00000004.00000003.688463111.000000000542D000.00000004.00000001.sdmp String found in binary or memory: http://ns.micro
Source: svchost.exe, 00000009.00000002.751615644.00000231CF2BD000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637470883.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637470883.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com=
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637436308.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comCInN
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637571579.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637571579.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comcro
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637522421.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comh-c
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637389364.0000000005089000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comyrl
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.639668812.0000000005087000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.638929660.0000000005087000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers5
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.639326811.0000000005086000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersN
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635522881.000000000509B000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635541486.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comQ
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.635626829.000000000509B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comicj
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636982622.00000000050BD000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636890228.0000000005084000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636768655.0000000005083000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636923218.00000000050BD000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn7
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636890228.0000000005084000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cns
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641286865.0000000005085000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641328281.0000000005086000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm0
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.641286865.0000000005085000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmX
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krO
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: svchost.exe, 00000009.00000002.751687464.00000231CF2EE000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoft.
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636768655.0000000005083000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.636489484.0000000005082000.00000004.00000001.sdmp, 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637170702.0000000005082000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.
Source: svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637627152.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com&
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637155791.0000000005083000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comadnl
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.637627152.0000000005088000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comlic
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000003.640449829.0000000005086000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.682796551.0000000005230000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.757479680.0000000005590000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818003800.0000000005D20000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.831503249.0000000005480000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.832439838.0000000005FA0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736861958.00000231CFB41000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736891454.00000231CFB50000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000009.00000003.728657876.00000231CFB8C000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000009.00000003.736811427.00000231CFB9F000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.736758526.00000231CFB94000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.youtube.com/watch?v=Ji9IwPId5UkQThis

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)
Source: 11.0.fullview.exe.400000.1.unpack, Lime/kl.cs .Net Code: VKCodeToUnicode
Source: 11.0.fullview.exe.400000.1.unpack, LimeSL.cs .Net Code: SetHook
Source: 11.2.fullview.exe.400000.0.unpack, Lime/kl.cs .Net Code: VKCodeToUnicode
Source: 11.2.fullview.exe.400000.0.unpack, LimeSL.cs .Net Code: SetHook
Source: 16.2.fullview.exe.400000.0.unpack, LimeSL.cs .Net Code: SetHook
Source: 16.2.fullview.exe.400000.0.unpack, Lime/kl.cs .Net Code: VKCodeToUnicode
Creates a DirectInput object (often for capturing keystrokes)
Source: svchost.exe, 00000011.00000002.828234765.0000000001200000.00000004.00000001.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: fullview.exe.0.dr, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 0.0.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3d0000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3d0000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 4.2.fullview.exe.740000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 4.0.fullview.exe.740000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: svchost.exe.11.dr, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 11.0.fullview.exe.dc0000.2.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 11.0.fullview.exe.dc0000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 11.2.fullview.exe.dc0000.1.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 12.0.fullview.exe.d30000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 12.2.fullview.exe.d30000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 13.0.fullview.exe.580000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 13.2.fullview.exe.580000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 16.0.fullview.exe.d40000.0.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Source: 16.0.fullview.exe.d40000.2.unpack, busnnett/U1.cs Large array initialization: GetByte: array initializer size 74240
Creates files inside the system directory
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Music\fullview.exe File deleted: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.5616.4731968 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Code function: 0_2_04C12548 0_2_04C12548
Source: C:\Users\user\Music\fullview.exe Code function: 4_2_05122548 4_2_05122548
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_05832548 12_2_05832548
Source: C:\Users\user\Music\fullview.exe Code function: 13_2_05072548 13_2_05072548
Sample file is different than original file name gathered from version info
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.685770002.0000000006DF0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameeconomymode.exe8 vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.685742568.0000000006DD0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.686354866.0000000007350000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.686354866.0000000007350000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.685866192.0000000007250000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000000.634243918.000000000045E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamezsinnadaverde.exe vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.684656632.00000000067A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Binary or memory string: OriginalFilenamezsinnadaverde.exe vs 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe
Uses 32bit PE files
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fullview.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: svchost.exe.11.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 11.0.fullview.exe.400000.1.unpack, Rware.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.fullview.exe.400000.1.unpack, RwareDE.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.fullview.exe.400000.0.unpack, Rware.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.fullview.exe.400000.0.unpack, RwareDE.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 16.2.fullview.exe.400000.0.unpack, RwareDE.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 16.2.fullview.exe.400000.0.unpack, Rware.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.fullview.exe.400000.1.unpack, BotKillers.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.fullview.exe.400000.1.unpack, BotKillers.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.fullview.exe.400000.1.unpack, BotKillers.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 16.2.fullview.exe.400000.0.unpack, BotKillers.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.fullview.exe.400000.0.unpack, BotKillers.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 16.2.fullview.exe.400000.0.unpack, BotKillers.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 11.2.fullview.exe.400000.0.unpack, BotKillers.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.fullview.exe.400000.0.unpack, BotKillers.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.fullview.exe.400000.0.unpack, BotKillers.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@19/16@16/1
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Code function: 0_2_05210AFE AdjustTokenPrivileges, 0_2_05210AFE
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Code function: 0_2_05210AC7 AdjustTokenPrivileges, 0_2_05210AC7
Source: C:\Users\user\Music\fullview.exe Code function: 4_2_06C70AFE AdjustTokenPrivileges, 4_2_06C70AFE
Source: C:\Users\user\Music\fullview.exe Code function: 4_2_06C70AEC AdjustTokenPrivileges, 4_2_06C70AEC
Source: C:\Users\user\Music\fullview.exe Code function: 11_2_0318259E AdjustTokenPrivileges, 11_2_0318259E
Source: C:\Users\user\Music\fullview.exe Code function: 11_2_03182567 AdjustTokenPrivileges, 11_2_03182567
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_05900AFE AdjustTokenPrivileges, 12_2_05900AFE
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_05900AC7 AdjustTokenPrivileges, 12_2_05900AC7
Source: C:\Users\user\Music\fullview.exe Code function: 13_2_05150AFE AdjustTokenPrivileges, 13_2_05150AFE
Source: C:\Users\user\Music\fullview.exe Code function: 13_2_05150AC7 AdjustTokenPrivileges, 13_2_05150AC7
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created: C:\Users\user\Music\fullview.exe Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Music\fullview.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Music\fullview.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Music\fullview.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Virustotal: Detection: 67%
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File read: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe 'C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: unknown Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe' -boot
Source: unknown Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe' -boot
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe'
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Music\fullview.exe 'C:\Users\user\Music\fullview.exe' Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.684656632.00000000067A0000.00000002.00000001.sdmp, fullview.exe, 00000004.00000002.759339723.0000000006710000.00000002.00000001.sdmp, fullview.exe, 0000000C.00000002.818685449.0000000006D70000.00000002.00000001.sdmp, fullview.exe, 0000000D.00000002.833000474.00000000065D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.833594288.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 11.0.fullview.exe.400000.1.unpack, Lime/Core.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.fullview.exe.400000.0.unpack, Lime/Core.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.fullview.exe.400000.0.unpack, Lime/Core.cs .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Code function: 0_2_0045B55B push es; iretd 0_2_0045B6DA
Source: C:\Users\user\Music\fullview.exe Code function: 4_2_007CB55B push es; iretd 4_2_007CB6DA
Source: C:\Users\user\Music\fullview.exe Code function: 4_2_010D841E push ebp; ret 4_2_010D8429
Source: C:\Users\user\Music\fullview.exe Code function: 4_2_010D7FC9 push ecx; ret 4_2_010D841D
Source: C:\Users\user\Music\fullview.exe Code function: 11_2_00E4B55B push es; iretd 11_2_00E4B6DA
Source: C:\Users\user\Music\fullview.exe Code function: 11_2_0573063F push 6D2AC360h; ret 11_2_05730656
Source: C:\Users\user\Music\fullview.exe Code function: 11_2_0573051B push 6D2AC310h; ret 11_2_05730532
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_00DBB55B push es; iretd 12_2_00DBB6DA
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_016A83DE push ecx; ret 12_2_016A841D
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_016A8423 push ebp; ret 12_2_016A8429
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_016A8502 push 00000001h; retf 12_2_016A8504
Source: C:\Users\user\Music\fullview.exe Code function: 12_2_016A8497 push 00000001h; ret 12_2_016A84A4
Source: C:\Users\user\Music\fullview.exe Code function: 13_2_0060B55B push es; iretd 13_2_0060B6DA
Source: C:\Users\user\Music\fullview.exe Code function: 13_2_00BF841E push ebp; ret 13_2_00BF8429
Source: C:\Users\user\Music\fullview.exe Code function: 13_2_00BF7FC9 push ecx; ret 13_2_00BF841D
Source: C:\Users\user\Music\fullview.exe Code function: 16_2_00DCB55B push es; iretd 16_2_00DCB6DA
Source: initial sample Static PE information: section name: .text entropy: 7.9564698476
Source: initial sample Static PE information: section name: .text entropy: 7.9564698476
Source: initial sample Static PE information: section name: .text entropy: 7.9564698476

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\Music\fullview.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File created: C:\Users\user\Music\fullview.exe Jump to dropped file
Source: C:\Users\user\Music\fullview.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\user\Music\fullview.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Music\fullview.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Music\fullview.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Jump to behavior
Source: C:\Users\user\Music\fullview.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fullview Jump to behavior
Source: C:\Users\user\Music\fullview.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run fullview Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Music\fullview.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe File opened: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Music\fullview.exe File opened: C:\Users\user\Music\fullview.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Music\fullview.exe File opened: C:\Users\user\Music\fullview.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Music\fullview.exe File opened: C:\Users\user\Music\fullview.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Music\fullview.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Music\fullview.exe Window / User API: threadDelayed 3133 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe TID: 7000 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Music\fullview.exe TID: 1288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7020 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\Music\fullview.exe TID: 6492 Thread sleep count: 3133 > 30 Jump to behavior
Source: C:\Users\user\Music\fullview.exe TID: 3296 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\fullview.exe TID: 1000 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\fullview.exe TID: 5892 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 5112 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Music\fullview.exe TID: 5400 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Music\fullview.exe Last function: Thread delayed
Source: C:\Users\user\Music\fullview.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Music\fullview.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp Binary or memory string: VBoxServiceoAntiProcess: VirtrualBox was detected! I deleted myself
Source: explorer.exe, 00000003.00000002.900998536.0000000001187000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000009.00000002.751700582.00000231CF2F9000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000009.00000002.751687464.00000231CF2EE000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp Binary or memory string: VGAuthServiceeAntiProcess: VMware was detected! I deleted myself
Source: fullview.exe, 0000000B.00000002.901269787.0000000001453000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: svchost.exe, 00000001.00000002.650495613.00000246B8660000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.706979746.00000296A1F40000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.718917935.0000023B3CB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.752331008.00000231D0200000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process token adjusted: Debug
Source: C:\Users\user\Music\fullview.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 11.0.fullview.exe.400000.1.unpack, Lime/Core.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.0.fullview.exe.400000.1.unpack, Lime/kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 11.2.fullview.exe.400000.0.unpack, Lime/Core.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 11.2.fullview.exe.400000.0.unpack, Lime/kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 16.2.fullview.exe.400000.0.unpack, Lime/Core.cs Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 16.2.fullview.exe.400000.0.unpack, Lime/kl.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Music\fullview.exe Memory written: C:\Users\user\Music\fullview.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Music\fullview.exe Memory written: C:\Users\user\Music\fullview.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Music\fullview.exe Memory written: C:\Users\user\Music\fullview.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c select, C:\Users\user\Music\fullview.exe Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe Jump to behavior
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: C:\Users\user\Music\fullview.exe Process created: C:\Users\user\Music\fullview.exe C:\Users\user\Music\fullview.exe
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.901239924.00000000017E0000.00000002.00000001.sdmp, fullview.exe, 0000000B.00000002.901557417.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: fullview.exe, 0000000B.00000002.902417621.0000000003501000.00000004.00000001.sdmp Binary or memory string: Program Manager|9
Source: fullview.exe, 0000000B.00000002.902417621.0000000003501000.00000004.00000001.sdmp Binary or memory string: Program Manager<
Source: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe, 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, fullview.exe, 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, fullview.exe, 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, fullview.exe, 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, fullview.exe, 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, fullview.exe, 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, svchost.exe, 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, fullview.exe, 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp Binary or memory string: Shell_traywnd

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Music\fullview.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: fullview.exe, 0000000B.00000002.901269787.0000000001453000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Music\fullview.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

barindex
Yara detected Njrat
Source: Yara match File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Njrat
Source: Yara match File source: 0000000B.00000000.736589256.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.900690082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.817394894.00000000046A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.811837590.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756321021.000000000320B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681356331.0000000003C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.756794475.0000000003FB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.813989539.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.821203720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.796452577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.829265628.0000000003691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.755773699.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.837153151.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.830327224.0000000003DE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.831852482.0000000004877000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.829183550.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.828936006.0000000002C18000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.680120099.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe PID: 6964, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7088, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 1668, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5616, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 7080, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 5544, type: MEMORY
Source: Yara match File source: Process Memory Space: fullview.exe PID: 6400, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4576, type: MEMORY
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.46a7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.3c47ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ac84f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.3de7ead.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.3fb7ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36e488d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exe.2ab47a1.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c62b08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.4877ead.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e3cebc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.fullview.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.fullview.exe.2c4edb9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.fullview.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.3531994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.svchost.exe.36f85dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.fullview.exe.351dc45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fullview.exe.2e2916d.2.raw.unpack, type: UNPACKEDPE
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs