Windows Analysis Report Nb2HQZZDIf

Overview

General Information

Sample Name: Nb2HQZZDIf (renamed file extension from none to exe)
Analysis ID: 452456
MD5: b8371590264db62ecbba4b7f481a21a8
SHA1: 837bfd10d70113330b2e00a1f12e99c4b0065d38
SHA256: fa3e22734ccb01da24364b65793ca5d2fafc53fbe6cef3eab8d76b158d1e0d7a
Tags: exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to a URL shortener service
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.1234.exe.43e5a60.3.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Metadefender: Detection: 17% Perma Link
Source: C:\Users\user\AppData\Local\Temp\srvs.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\1234.exe ReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: Nb2HQZZDIf.exe Virustotal: Detection: 22% Perma Link
Source: Nb2HQZZDIf.exe ReversingLabs: Detection: 25%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.25.233.53:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.216.94.27:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.80.20:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: srvs.exe, 00000015.00000002.480413638.0000000001182000.00000040.00020000.sdmp
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140087A90
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_0000000140087B90
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D080
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140062320
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2390 FindFirstFileW, 0_2_00000001400C2390
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D405
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D40F
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D419
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D423
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D44D
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D478
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4A0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4BE
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4DF
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D500
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D792 FindFirstFileW,GetLastError, 0_2_000000014004D792
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_000000014004D7E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D990
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose, 0_2_0000000140061A30
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose, 0_2_000000014004CAE0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0000000140032DC0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose, 0_2_000000014004DFA0

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe DNS query: name: iplogger.org
Performs DNS queries to domains with low reputation
Source: C:\Users\user\AppData\Roaming\1234.exe DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\1234.exe DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\1234.exe DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\1234.exe DNS query: yspasenana.xyz
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 32800
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 32800
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 32800
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49754
Connects to a URL shortener service
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe DNS query: name: is.gd
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49751 -> 5.149.255.203:32800
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1151249Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1151241Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyUpdate"Host: yspasenana.xyzContent-Length: 1151267Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 5.149.255.203:32800Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 5.149.255.203:32800Content-Length: 1151929Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 5.149.255.203:32800Content-Length: 1151921Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.25.233.53 104.25.233.53
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: unknown TCP traffic detected without corresponding DNS query: 5.149.255.203
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary, 0_2_0000000140060290
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: iplogger.org
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmp String found in binary or memory: http://5.149.255.203:3
Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmp String found in binary or memory: http://5.149.255.203:32800
Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://5.149.255.203:32800/
Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmp String found in binary or memory: http://5.149.255.203:328004
Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmp String found in binary or memory: http://ahkscript.org
Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmp String found in binary or memory: http://ahkscript.orgCould
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://bitbucket.org
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Nb2HQZZDIf.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCert
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: Nb2HQZZDIf.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: 1234.exe, 0000000F.00000003.359594805.0000000008A81000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000003.382117254.0000000008A92000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.385284106.0000000002B0B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0R
Source: Nb2HQZZDIf.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://s3-w.us-east-1.amazonaws.com
Source: 1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/0
Source: 1234.exe, 0000000F.00000002.385167858.0000000002ADC000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsti
Source: srvs.exe, 00000015.00000002.484570685.0000000003975000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 1234.exe, 0000000F.00000002.386418247.0000000002C65000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: srvs.exe, 00000015.00000002.484619436.000000000397A000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484173181.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226713519.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 1234.exe, 00000002.00000003.218810935.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 1234.exe, 00000002.00000003.220817436.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 1234.exe, 00000002.00000003.220716049.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlyv
Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.219879289.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/v-s
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersZ
Source: 1234.exe, 00000002.00000003.221158654.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersb
Source: 1234.exe, 00000002.00000003.219078395.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: 1234.exe, 00000002.00000003.219461418.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerss
Source: 1234.exe, 00000002.00000003.219508500.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerst
Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: 1234.exe, 00000002.00000003.221286981.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsF
Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comap
Source: 1234.exe, 00000002.00000003.221615342.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomd
Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdTF
Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdsed
Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.226658468.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.come.com
Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comgrito
Source: 1234.exe, 00000002.00000003.219345969.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comica
Source: 1234.exe, 00000002.00000003.220932014.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comitum
Source: 1234.exe, 00000002.00000003.219912815.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comk:
Source: 1234.exe, 00000002.00000003.226824512.000000000600E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como:
Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comsiv
Source: 1234.exe, 00000002.00000003.219078395.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: 1234.exe, 00000002.00000003.220606804.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comueto3
Source: 1234.exe, 00000002.00000003.218854259.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comy
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: 1234.exe, 00000002.00000003.223065732.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/:
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: 1234.exe, 00000002.00000003.216141867.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: 1234.exe, 00000002.00000003.216400129.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: 1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/cros
Source: 1234.exe, 00000002.00000003.216270942.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/crosU
Source: 1234.exe, 00000002.00000003.216218362.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/f
Source: 1234.exe, 00000002.00000003.216857497.0000000006011000.00000004.00000001.sdmp, 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
Source: 1234.exe, 00000002.00000003.216456973.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/b
Source: 1234.exe, 00000002.00000003.216761673.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: 1234.exe, 00000002.00000003.216029142.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/rz
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 1234.exe, 00000002.00000003.218706456.0000000005FEE000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: 1234.exe, 00000002.00000003.218706456.0000000005FEE000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de2(
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.dea(
Source: 1234.exe, 00000002.00000003.221264276.0000000005FEE000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.dera
Source: 1234.exe, 00000002.00000002.313581822.00000000071F2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 1234.exe, 00000002.00000003.215590431.0000000006011000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cntS
Source: 1234.exe, 0000000F.00000002.385785787.0000000002B7B000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz
Source: 1234.exe, 0000000F.00000002.386246795.0000000002C39000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz(h
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz/
Source: 1234.exe, 0000000F.00000002.386040704.0000000002BF7000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz4
Source: 1234.exe, 0000000F.00000002.384954052.0000000002A91000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz:80/
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb
Source: 1234.exe, srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: srvs.exe, 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sbx
Source: 1234.exe String found in binary or memory: https://api.ipify.org
Source: srvs.exe String found in binary or memory: https://api.ipify.orgcookies//setti
Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmp String found in binary or memory: https://aui-cdn.atlassian.com
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: Nb2HQZZDIf.exe String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/b~
Source: 1234.exe, 0000000F.00000002.385267737.0000000002B04000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/74c745b8-de86-
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/80e8feaa-7504-
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com4
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exe
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exel:%
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/1234.exeu
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385200656.0000000002AE6000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/6.exe
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org4
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: 1234.exe, 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, srvs.exe, srvs.exe, 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: Nb2HQZZDIf.exe String found in binary or memory: https://iplogger.org/
Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmp String found in binary or memory: https://iplogger.org/1Bwjj7
Source: Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Bwjj7%A_AppData%
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/
Source: Nb2HQZZDIf.exe, Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp, Nb2HQZZDIf.exe, 00000000.00000002.308831972.0000000140141000.00000040.00020000.sdmp String found in binary or memory: https://is.gd/dg3E5g
Source: Nb2HQZZDIf.exe, 00000000.00000003.305082174.00000000008E8000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/dg3E5g%A_AppData%
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/dg3E5g7
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/dg3E5gA63
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/dg3E5gC
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/dg3E5gS6%
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/dg3E5g_6
Source: Nb2HQZZDIf.exe, 00000000.00000003.305200649.000000000097C000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385654345.0000000002B23000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484424033.00000000038B1000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484402616.00000000038AD000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Nb2HQZZDIf.exe, 00000000.00000002.306921781.0000000000968000.00000004.00000020.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Nb2HQZZDIf.exe String found in binary or memory: https://sectigo.com/CPS0C
Source: 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, Nb2HQZZDIf.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 1234.exe, 0000000F.00000002.387385172.0000000002E5C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: Nb2HQZZDIf.exe, 00000000.00000002.307504905.0000000002D90000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, 1234.exe, 0000000F.00000002.385633709.0000000002B1F000.00000004.00000001.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: Nb2HQZZDIf.exe, 00000000.00000002.307182139.00000000009AD000.00000004.00000020.sdmp, 1234.exe, 0000000F.00000002.386125107.0000000002C08000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.484347085.0000000003898000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: 1234.exe, 0000000F.00000002.388024887.0000000002F8C000.00000004.00000001.sdmp, srvs.exe, 00000015.00000002.485106038.0000000003AFD000.00000004.00000001.sdmp, tmpEE20.tmp.15.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.25.233.53:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.216.94.27:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.80.20:443 -> 192.168.2.3:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard, 0_2_00000001400053A0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData, 0_2_0000000140005280
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject, 0_2_0000000140042E80
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140011052 GetKeyboardState, 0_2_0000000140011052
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW, 0_2_00000001400018BA

System Summary:

barindex
.NET source code contains very large strings
Source: 1234.exe.0.dr, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
PE file contains section with special chars
Source: srvs.exe.15.dr Static PE information: section name:
Source: srvs.exe.15.dr Static PE information: section name:
Source: srvs.exe.15.dr Static PE information: section name:
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Window found: window name: AutoHotkey Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW, 0_2_0000000140043AD0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW, 0_2_000000014004438A
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043BF6 NtdllDefWindowProc_W, 0_2_0000000140043BF6
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043C50 NtdllDefWindowProc_W, 0_2_0000000140043C50
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043C8B SetFocus,NtdllDefWindowProc_W, 0_2_0000000140043C8B
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043CAC NtdllDefWindowProc_W, 0_2_0000000140043CAC
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043CD9 NtdllDefWindowProc_W, 0_2_0000000140043CD9
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400492B0: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00000001400492B0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00000001400624E0
Detected potential crypto function
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140019030 0_2_0000000140019030
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140060290 0_2_0000000140060290
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400184C0 0_2_00000001400184C0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140004530 0_2_0000000140004530
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400018BA 0_2_00000001400018BA
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140043AD0 0_2_0000000140043AD0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140036D50 0_2_0000000140036D50
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140014FF0 0_2_0000000140014FF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400A7FF8 0_2_00000001400A7FF8
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140049040 0_2_0000000140049040
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140053050 0_2_0000000140053050
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D080 0_2_000000014004D080
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140008140 0_2_0000000140008140
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140083150 0_2_0000000140083150
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400861F0 0_2_00000001400861F0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014003C220 0_2_000000014003C220
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140042240 0_2_0000000140042240
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014002B25C 0_2_000000014002B25C
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014000C260 0_2_000000014000C260
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140048270 0_2_0000000140048270
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004B270 0_2_000000014004B270
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014008B280 0_2_000000014008B280
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014000A2B0 0_2_000000014000A2B0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400222C0 0_2_00000001400222C0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400132C0 0_2_00000001400132C0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004C2D0 0_2_000000014004C2D0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400302E0 0_2_00000001400302E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014000F2E0 0_2_000000014000F2E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014003A300 0_2_000000014003A300
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140020316 0_2_0000000140020316
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014005E330 0_2_000000014005E330
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014003B32A 0_2_000000014003B32A
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014006C33D 0_2_000000014006C33D
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140033380 0_2_0000000140033380
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140096390 0_2_0000000140096390
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400563A0 0_2_00000001400563A0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400883F0 0_2_00000001400883F0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400B9420 0_2_00000001400B9420
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004A480 0_2_000000014004A480
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400424B0 0_2_00000001400424B0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400414B0 0_2_00000001400414B0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400B04B4 0_2_00000001400B04B4
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400344D0 0_2_00000001400344D0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140059510 0_2_0000000140059510
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014005E580 0_2_000000014005E580
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014002D585 0_2_000000014002D585
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014001D5A9 0_2_000000014001D5A9
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400695C0 0_2_00000001400695C0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400465D0 0_2_00000001400465D0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400665E0 0_2_00000001400665E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140023630 0_2_0000000140023630
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140058650 0_2_0000000140058650
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014003B654 0_2_000000014003B654
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400AE660 0_2_00000001400AE660
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014006D6A0 0_2_000000014006D6A0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2698 0_2_00000001400C2698
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C26B0 0_2_00000001400C26B0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C26A8 0_2_00000001400C26A8
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400096E0 0_2_00000001400096E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140056719 0_2_0000000140056719
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400577A0 0_2_00000001400577A0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400727F0 0_2_00000001400727F0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140054860 0_2_0000000140054860
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014005E8F0 0_2_000000014005E8F0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140030910 0_2_0000000140030910
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014006C920 0_2_000000014006C920
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140006938 0_2_0000000140006938
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014000693C 0_2_000000014000693C
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140006940 0_2_0000000140006940
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D990 0_2_000000014004D990
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400059D0 0_2_00000001400059D0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014005F9F2 0_2_000000014005F9F2
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140071A10 0_2_0000000140071A10
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140019A2E 0_2_0000000140019A2E
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400BBA40 0_2_00000001400BBA40
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140047AB0 0_2_0000000140047AB0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140060AF0 0_2_0000000140060AF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140049B40 0_2_0000000140049B40
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400B7B9C 0_2_00000001400B7B9C
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014002FBFC 0_2_000000014002FBFC
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140059C00 0_2_0000000140059C00
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140055C10 0_2_0000000140055C10
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014000CC10 0_2_000000014000CC10
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014005FC25 0_2_000000014005FC25
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140038C50 0_2_0000000140038C50
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004BC60 0_2_000000014004BC60
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400BDCA8 0_2_00000001400BDCA8
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014008BCD0 0_2_000000014008BCD0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140041CD1 0_2_0000000140041CD1
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140045CF0 0_2_0000000140045CF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400A7D2C 0_2_00000001400A7D2C
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004FD30 0_2_000000014004FD30
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014003ED70 0_2_000000014003ED70
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140079D90 0_2_0000000140079D90
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140065D90 0_2_0000000140065D90
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400A0DC0 0_2_00000001400A0DC0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014002ADE6 0_2_000000014002ADE6
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140035E60 0_2_0000000140035E60
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140090E70 0_2_0000000140090E70
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140067E62 0_2_0000000140067E62
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140051E80 0_2_0000000140051E80
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140042E80 0_2_0000000140042E80
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140060EF0 0_2_0000000140060EF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004AF20 0_2_000000014004AF20
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014003CF20 0_2_000000014003CF20
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140010F60 0_2_0000000140010F60
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140046F70 0_2_0000000140046F70
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014001BF80 0_2_000000014001BF80
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140044FB0 0_2_0000000140044FB0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_009B4181 0_3_009B4181
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_00CF944F 2_2_00CF944F
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_00CF9D5B 2_2_00CF9D5B
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0160C534 2_2_0160C534
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0160E972 2_2_0160E972
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0160E978 2_2_0160E978
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790BB38 2_2_0790BB38
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790B638 2_2_0790B638
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07905252 2_2_07905252
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07903E72 2_2_07903E72
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07909269 2_2_07909269
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079049D8 2_2_079049D8
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07902113 2_2_07902113
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07905C80 2_2_07905C80
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07902C30 2_2_07902C30
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790933F 2_2_0790933F
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07909326 2_2_07909326
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790A68B 2_2_0790A68B
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790EAD0 2_2_0790EAD0
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07908E58 2_2_07908E58
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07908E48 2_2_07908E48
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790A66C 2_2_0790A66C
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079085B8 2_2_079085B8
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079095C7 2_2_079095C7
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079085C8 2_2_079085C8
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07904941 2_2_07904941
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079090D0 2_2_079090D0
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079090C0 2_2_079090C0
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07908C38 2_2_07908C38
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0790C028 2_2_0790C028
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_07908C28 2_2_07908C28
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F38864 2_2_08F38864
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3BDC0 2_2_08F3BDC0
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3B250 2_2_08F3B250
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3BD91 2_2_08F3BD91
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3BD40 2_2_08F3BD40
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3D0A0 2_2_08F3D0A0
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3B24B 2_2_08F3B24B
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3D778 2_2_08F3D778
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_08F3D767 2_2_08F3D767
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 14_2_002E944F 14_2_002E944F
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 14_2_002E9D5B 14_2_002E9D5B
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_0068944F 15_2_0068944F
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_00689D5B 15_2_00689D5B
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_0297D448 15_2_0297D448
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_0297CB50 15_2_0297CB50
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_05D50040 15_2_05D50040
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_05D5F338 15_2_05D5F338
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_05D52840 15_2_05D52840
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_05D5D308 15_2_05D5D308
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_05D5D2F9 15_2_05D5D2F9
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_05D52831 15_2_05D52831
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D0631 21_2_031D0631
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D0640 21_2_031D0640
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D346F 21_2_031D346F
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D0910 21_2_031D0910
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D0933 21_2_031D0933
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D0959 21_2_031D0959
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D098C 21_2_031D098C
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D09BB 21_2_031D09BB
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D09A5 21_2_031D09A5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 00000001400A6D70 appears 354 times
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 0000000140086C40 appears 51 times
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 00000001400A4F28 appears 34 times
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 00000001400A9358 appears 45 times
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 0000000140035BF0 appears 107 times
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 0000000140035870 appears 77 times
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: String function: 00000001400C2598 appears 38 times
PE / OLE file has an invalid certificate
Source: Nb2HQZZDIf.exe Static PE information: invalid certificate
PE file contains strange resources
Source: Nb2HQZZDIf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Nb2HQZZDIf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Nb2HQZZDIf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Nb2HQZZDIf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Nb2HQZZDIf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1234.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: srvs.exe.15.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Nb2HQZZDIf.exe, 00000000.00000000.201173150.000000014015E000.00000008.00020000.sdmp Binary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs Nb2HQZZDIf.exe
Source: Nb2HQZZDIf.exe, 00000000.00000002.307447286.0000000002D80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Nb2HQZZDIf.exe
Source: Nb2HQZZDIf.exe, 00000000.00000002.308499274.0000000005560000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Nb2HQZZDIf.exe
Source: Nb2HQZZDIf.exe, 00000000.00000002.307537646.0000000002D98000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameOtxiH.exe2 vs Nb2HQZZDIf.exe
Source: Nb2HQZZDIf.exe Binary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs Nb2HQZZDIf.exe
Source: 1234.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Nb2HQZZDIf.exe Static PE information: Section: .MPRESS1 ZLIB complexity 1.00032224103
Source: srvs.exe.15.dr Static PE information: Section: ZLIB complexity 0.999643083756
Source: srvs.exe.15.dr Static PE information: Section: .vimp0 ZLIB complexity 0.997845143779
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/60@15/8
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 0_2_0000000140036D50
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00000001400624E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C22C0 GetDiskFreeSpaceW, 0_2_00000001400C22C0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140088BA0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW, 0_2_0000000140088BA0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe File created: C:\Users\user\AppData\Roaming\field Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File created: C:\Users\user\AppData\Local\Temp\tmp253A.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Nb2HQZZDIf.exe Virustotal: Detection: 22%
Source: Nb2HQZZDIf.exe ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Users\user\Desktop\Nb2HQZZDIf.exe 'C:\Users\user\Desktop\Nb2HQZZDIf.exe'
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Process created: C:\Users\user\AppData\Roaming\1234.exe C:\Users\user\AppData\Roaming\1234.exe 1234
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Roaming\1234.exe {path}
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Roaming\1234.exe {path}
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Local\Temp\srvs.exe 'C:\Users\user\AppData\Local\Temp\srvs.exe'
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Process created: C:\Users\user\AppData\Roaming\1234.exe C:\Users\user\AppData\Roaming\1234.exe 1234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Roaming\1234.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Roaming\1234.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Local\Temp\srvs.exe 'C:\Users\user\AppData\Local\Temp\srvs.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\1234.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Nb2HQZZDIf.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: srvs.exe, 00000015.00000002.480413638.0000000001182000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Unpacked PE file: 0.2.Nb2HQZZDIf.exe.140000000.2.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Unpacked PE file: 21.2.srvs.exe.df0000.0.unpack :ER; :R; :R;.vm_sec:W;.idata:W;.vimp0:ER;.themida:EW;.boot:ER;.vimp0:ER;.rsrc:R; vs :ER; :R; :R;
.NET source code contains potential unpacker
Source: 1234.exe.0.dr, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: srvs.exe.15.dr Static PE information: 0xE3EEDDA9 [Wed Mar 7 05:05:45 2091 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary, 0_2_0000000140060290
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains an invalid checksum
Source: 1234.exe.0.dr Static PE information: real checksum: 0x0 should be: 0xf8b72
Source: Nb2HQZZDIf.exe Static PE information: real checksum: 0x99744 should be: 0xa8478
PE file contains sections with non-standard names
Source: Nb2HQZZDIf.exe Static PE information: section name: .MPRESS1
Source: Nb2HQZZDIf.exe Static PE information: section name: .MPRESS2
Source: srvs.exe.15.dr Static PE information: section name:
Source: srvs.exe.15.dr Static PE information: section name:
Source: srvs.exe.15.dr Static PE information: section name:
Source: srvs.exe.15.dr Static PE information: section name: .vm_sec
Source: srvs.exe.15.dr Static PE information: section name: .vimp0
Source: srvs.exe.15.dr Static PE information: section name: .themida
Source: srvs.exe.15.dr Static PE information: section name: .boot
Source: srvs.exe.15.dr Static PE information: section name: .vimp0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_00931234 push ss; ret 0_3_00931251
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_009B669E pushad ; retf 0_3_009B6721
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_009B5593 pushfd ; ret 0_3_009B5595
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_009B09D4 pushfd ; ret 0_3_009B09D6
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_009AEE08 push esi; retn 0000h 0_3_009AEE0F
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_3_009B9770 pushfd ; ret 0_3_009B9772
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2620 push rax; retf 0_2_00000001400C2641
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2630 push rax; retf 0_2_00000001400C2641
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_0160F960 push esp; iretd 2_2_0160F969
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_017E112D push FFFFFF8Bh; iretd 2_2_017E112F
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 2_2_079047E9 push 1441A4BAh; iretd 2_2_079047F8
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_0297EEC0 push ecx; ret 15_2_0297F112
Source: C:\Users\user\AppData\Roaming\1234.exe Code function: 15_2_0297F100 push ecx; ret 15_2_0297F112
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Code function: 21_2_031D4215 push FFFFFF8Bh; iretd 21_2_031D4223
Source: initial sample Static PE information: section name: .MPRESS1 entropy: 7.9995184158
Source: initial sample Static PE information: section name: .text entropy: 7.5685116349
Source: initial sample Static PE information: section name: entropy: 7.98684257143
Source: initial sample Static PE information: section name: .vimp0 entropy: 7.99703516028
Source: initial sample Static PE information: section name: .vimp0 entropy: 7.29946899453
Source: 1234.exe.0.dr, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 1234.exe.0.dr, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 1234.exe.0.dr, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 1234.exe.0.dr, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 1234.exe.0.dr, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 1234.exe.0.dr, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 1234.exe.0.dr, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 1234.exe.0.dr, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 1234.exe.0.dr, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 1234.exe.0.dr, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 2.0.1234.exe.cf0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 2.2.1234.exe.cf0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 14.2.1234.exe.2e0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 14.0.1234.exe.2e0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe File created: C:\Users\user\AppData\Roaming\1234.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1234.exe File created: C:\Users\user\AppData\Local\Temp\srvs.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 32800
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 32800
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 32800
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 32800 -> 49754
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014008B0A0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 0_2_000000014008B0A0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400881E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 0_2_00000001400881E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014008B280 GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop, 0_2_000000014008B280
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014005E330 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC, 0_2_000000014005E330
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140075850
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140075850
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140044A00 IsDlgButtonChecked,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,IsDlgButtonChecked, 0_2_0000000140044A00
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140071A10 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 0_2_0000000140071A10
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2BE0 IsIconic, 0_2_00000001400C2BE0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140040D29 IsZoomed,IsIconic, 0_2_0000000140040D29
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140079D90 IsDlgButtonChecked,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,IsDlgButtonChecked,GetWindowLongW,ShowWindow,EnableWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,IsDlgButtonChecked,SetFocus,MapWindowPoints,InvalidateRect, 0_2_0000000140079D90
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1234.exe PID: 4628, type: MEMORY
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\srvs.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\1234.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\1234.exe Window / User API: threadDelayed 678 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Window / User API: threadDelayed 8242 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Window / User API: threadDelayed 562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Window / User API: threadDelayed 5387 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\AppData\Roaming\1234.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\1234.exe TID: 6008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe TID: 1320 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe TID: 5404 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140013FF0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014030h country: Spanish (es) 0_2_0000000140013FF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140014380 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400144F3h country: Russian (ru) 0_2_0000000140014380
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400055F0 GetKeyboardLayout followed by cmp: cmp ebx, 0ah and CTI: jl 0000000140005720h country: Spanish (es) 0_2_00000001400055F0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014000DAA0 GetKeyboardLayout followed by cmp: cmp word ptr [r14+02h], bp and CTI: jne 000000014000DBAAh 0_2_000000014000DAA0
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp word ptr [rbx], ax and CTI: je 0000000140046041h 0_2_0000000140045CF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140045F13h 0_2_0000000140045CF0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140087A90
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_0000000140087B90
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D080
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140062320
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2390 FindFirstFileW, 0_2_00000001400C2390
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D405
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D40F
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D419
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D423
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D44D
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D478
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4A0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4BE
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4DF
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D500
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D792 FindFirstFileW,GetLastError, 0_2_000000014004D792
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_000000014004D7E0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D990
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose, 0_2_0000000140061A30
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose, 0_2_000000014004CAE0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0000000140032DC0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose, 0_2_000000014004DFA0
Source: C:\Users\user\AppData\Roaming\1234.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Nb2HQZZDIf.exe Binary or memory string: Hyper-V RAW
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 1234.exe, 00000002.00000002.304591133.00000000031FC000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\AppData\Local\Temp\srvs.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00000001400B12B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary, 0_2_0000000140060290
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C2648 GetStringTypeW,GetProcessHeap,IsValidCodePage, 0_2_00000001400C2648
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\1234.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400BC054 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00000001400BC054
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00000001400B12B0
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C24B8 SetUnhandledExceptionFilter, 0_2_00000001400C24B8
Source: C:\Users\user\AppData\Roaming\1234.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\1234.exe Memory written: C:\Users\user\AppData\Roaming\1234.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 0_2_0000000140036D50
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140010F60 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState, 0_2_0000000140010F60
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140062600 mouse_event, 0_2_0000000140062600
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Roaming\1234.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Roaming\1234.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Process created: C:\Users\user\AppData\Local\Temp\srvs.exe 'C:\Users\user\AppData\Local\Temp\srvs.exe' Jump to behavior
Source: Nb2HQZZDIf.exe, srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Nb2HQZZDIf.exe, srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmp Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory"
Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmp Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%u...%s[%Iu of %Iu]: %-1.60s%s\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPClipboardAllComSpecFalseProgramFilesTrueAhkPathAhkVersionAppDataAppDataCommonBatchLinesCaretXCaretYComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultGuiDefaultListViewDefaultMouseSpeedDefaultTreeViewDesktopDesktopCommonEndCharEventInfoExitReasonFormatFloatFormatIntegerGuiControlEventGuiEventGuiHeightGuiWidthGuiXGuiYHourIconFileIconHiddenIconNumberIconTipIndexIPAddress1IPAddress2IPAddress3IPAddress4Is64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedIsUnicodeKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileLongPathLoopFileNameLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegSubKeyLoopRegTimeModifiedLoopRegTypeMDayMinMMMMMMMMMMonMouseDelayMouseDelayPlayMSecMyDocumentsNowNowUTCNumBatchLinesOSTypeOSVersionPriorHotkeyPriorKeyProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapslockModeThisFuncThisHotkeyThisLabelThisMenuThisMenuItemThisMenuItemPosTickCountTimeIdleTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedUserNameWDayWinDelayWinDirWorkingDirYDayYearYWeekYYYYRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s
Source: srvs.exe, 00000015.00000002.482785153.0000000001B80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Users\user\AppData\Roaming\1234.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Users\user\AppData\Roaming\1234.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_00000001400C22A8 GetLocalTime, 0_2_00000001400C22A8
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_000000014004F760 GetComputerNameW,GetUserNameW, 0_2_000000014004F760
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140001270 GetModuleHandleW,GetProcAddress,GetVersionExW, 0_2_0000000140001270
Source: C:\Users\user\AppData\Roaming\1234.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\srvs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.1234.exe.43e5a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1234.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.1234.exe.43e5a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.srvs.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
Source: Yara match File source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
Source: Yara match File source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ElectrumRule
Source: 1234.exe, 0000000F.00000002.385654345.0000000002B23000.00000004.00000001.sdmp String found in binary or memory: JaxxxLiberty
Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpath
Source: 1234.exe, 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ExodusRule
Source: srvs.exe String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Roaming\1234.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1234.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\srvs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Nb2HQZZDIf.exe Binary or memory string: WIN_XP
Source: Nb2HQZZDIf.exe, 00000000.00000002.308759798.00000001400DD000.00000040.00020000.sdmp Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowInputThenPlayLogoffSingle1.1.23.05\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003%04hXcomspecAppStartingArrowCrossIBeamNoUncheckChooseChooseStringEnabledVisibleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceLineCountCurrentLineCurrentColadvapi32RunAs: Missing advapi32.dll.CreateProcessWithLogonWCreateProcessWithLogonW.0.0.0.0&CombowininetInternetOpenWInternetOpenUrlWInternetCloseHandleInternetReadFileExAInternetReadFilewbThe maximum number of Folder Dialogs has been reached.Select Folder - %sshell32SHEmptyRecycleBinW%u.%u.%u.%u\*.*SeShutdownPrivilegeCreateToolhelp32SnapshotProcess32FirstWProcess32NextWComObjTypenameiidNo valid COM object!0x%08X -
Source: Nb2HQZZDIf.exe Binary or memory string: WIN_VISTA
Source: Nb2HQZZDIf.exe Binary or memory string: WIN_7
Source: Nb2HQZZDIf.exe Binary or memory string: WIN_8
Source: Nb2HQZZDIf.exe Binary or memory string: WIN_8.1
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
Source: Yara match File source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.1234.exe.43e5a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1234.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.1234.exe.43e5a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.srvs.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.475705492.0000000000DF2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.382545912.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.306824778.00000000042C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.382601084.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
Source: Yara match File source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000015.00000002.484278366.000000000386E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1234.exe PID: 2524, type: MEMORY
Source: Yara match File source: Process Memory Space: srvs.exe PID: 5088, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140017E10 Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize, 0_2_0000000140017E10
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140058440 RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0000000140058440
Source: C:\Users\user\Desktop\Nb2HQZZDIf.exe Code function: 0_2_0000000140018920 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0000000140018920
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs