Windows Analysis Report 10377 APT800_B0205K0384.exe

Overview

General Information

Sample Name: 10377 APT800_B0205K0384.exe
Analysis ID: 492186
MD5: 4f0f86315b42b8dad8a1b430d5ac084a
SHA1: e50192512d5cf87ece05a1b3974fccc652eff93b
SHA256: 8222127c77b4f83832246e9ce96da7741f1352da9d3548ad8b959b2e00b54c0d
Tags: exenanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9358a53f-433c-42f5-bd3f-14ae4da5", "Group": "Mine", "Domain1": "mec.sytes.net", "Domain2": "mec.sytes.net", "Port": 3259, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for submitted file
Source: 10377 APT800_B0205K0384.exe Virustotal: Detection: 23% Perma Link
Source: 10377 APT800_B0205K0384.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for domain / URL
Source: mec.sytes.net Virustotal: Detection: 6% Perma Link
Source: mec.sytes.net Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\xErAccEJcQLD.exe ReversingLabs: Detection: 26%
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR
Machine Learning detection for sample
Source: 10377 APT800_B0205K0384.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\xErAccEJcQLD.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: 10377 APT800_B0205K0384.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 10377 APT800_B0205K0384.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mec.sytes.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49769 -> 194.5.97.210:3259
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet1.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet2.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet3.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet4.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet5.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet6.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet7.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet8.xsd
Source: 10377 APT800_B0205K0384.exe String found in binary or memory: http://tempuri.org/educrossDataSet9.xsd
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.668065555.00000000051E6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.668696632.00000000051BE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlt
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.709575017.00000000051BE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comase
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.709575017.00000000051BE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.commeta4
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.709575017.00000000051BE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.663769191.00000000051BB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.665144024.00000000051AE000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/v:
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.664841177.00000000051A5000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnopoJ
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.664956704.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cns-cN
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp, 10377 APT800_B0205K0384.exe, 00000000.00000002.717203972.00000000051A0000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666946127.00000000051C3000.00000004.00000001.sdmp, 10377 APT800_B0205K0384.exe, 00000000.00000003.666651887.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666946127.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(=
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666491209.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666166391.00000000051BB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/H?
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666166391.00000000051BB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/K
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666651887.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666651887.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0l
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666421425.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s4
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666946127.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666651887.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666166391.00000000051BB000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pt-b
Source: 10377 APT800_B0205K0384.exe, 00000000.00000003.666491209.00000000051C3000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/xI
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.717417194.00000000063B2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: mec.sytes.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.710684503.0000000000918000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.5200000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.10377 APT800_B0205K0384.exe.2ee166c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.930218155.0000000005200000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large strings
Source: 10377 APT800_B0205K0384.exe, facreg.cs Long String: Length: 217893
Uses 32bit PE files
Source: 10377 APT800_B0205K0384.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.5200000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.5200000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.10377 APT800_B0205K0384.exe.2ee166c.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.2ee166c.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.930218155.0000000005200000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.930218155.0000000005200000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02551CF8 0_2_02551CF8
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_025578E0 0_2_025578E0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_025505B0 0_2_025505B0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02557634 0_2_02557634
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02557638 0_2_02557638
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02558BF9 0_2_02558BF9
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_025578DB 0_2_025578DB
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02551CEF 0_2_02551CEF
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_025505AB 0_2_025505AB
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D58AB0 0_2_06D58AB0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D526A0 0_2_06D526A0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D53A69 0_2_06D53A69
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D50239 0_2_06D50239
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D50970 0_2_06D50970
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D53510 0_2_06D53510
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D51D33 0_2_06D51D33
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D562F9 0_2_06D562F9
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D58AA0 0_2_06D58AA0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D55608 0_2_06D55608
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D553C0 0_2_06D553C0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D557C0 0_2_06D557C0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D553B0 0_2_06D553B0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D58F68 0_2_06D58F68
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D541DB 0_2_06D541DB
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D555F9 0_2_06D555F9
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D541E0 0_2_06D541E0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D55199 0_2_06D55199
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D5D180 0_2_06D5D180
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D521A8 0_2_06D521A8
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D551A8 0_2_06D551A8
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D53501 0_2_06D53501
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B523A0 7_2_02B523A0
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B52FA8 7_2_02B52FA8
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B58F18 7_2_02B58F18
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B58318 7_2_02B58318
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B5AB78 7_2_02B5AB78
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B53850 7_2_02B53850
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B58FDF 7_2_02B58FDF
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B5306F 7_2_02B5306F
Contains functionality to call native functions
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_0507334A NtQuerySystemInformation, 0_2_0507334A
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_05073310 NtQuerySystemInformation, 0_2_05073310
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05160FEA NtQuerySystemInformation, 7_2_05160FEA
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05160FAF NtQuerySystemInformation, 7_2_05160FAF
Sample file is different than original file name gathered from version info
Source: 10377 APT800_B0205K0384.exe Binary or memory string: OriginalFilename vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.718651459.00000000087B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.709902982.00000000001B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUe1vZiW.exe4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.710684503.0000000000918000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.718025479.0000000006D20000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe Binary or memory string: OriginalFilename vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000005.00000000.706602369.00000000002F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUe1vZiW.exe4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe Binary or memory string: OriginalFilename vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000006.00000002.708267047.0000000000172000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUe1vZiW.exe4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe Binary or memory string: OriginalFilename vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929204128.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe, 00000007.00000000.708875214.0000000000712000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUe1vZiW.exe4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe Binary or memory string: OriginalFilenameUe1vZiW.exe4 vs 10377 APT800_B0205K0384.exe
Source: 10377 APT800_B0205K0384.exe Virustotal: Detection: 23%
Source: 10377 APT800_B0205K0384.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File read: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Jump to behavior
Source: 10377 APT800_B0205K0384.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe 'C:\Users\user\Desktop\10377 APT800_B0205K0384.exe'
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xErAccEJcQLD' /XML 'C:\Users\user\AppData\Local\Temp\tmp1570.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path}
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path}
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path}
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xErAccEJcQLD' /XML 'C:\Users\user\AppData\Local\Temp\tmp1570.tmp' Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_0507301E AdjustTokenPrivileges, 0_2_0507301E
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_05072FE7 AdjustTokenPrivileges, 0_2_05072FE7
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05160DAA AdjustTokenPrivileges, 7_2_05160DAA
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05160D73 AdjustTokenPrivileges, 7_2_05160D73
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File created: C:\Users\user\AppData\Roaming\xErAccEJcQLD.exe Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File created: C:\Users\user\AppData\Local\Temp\tmp1570.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@19/2
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.709902982.00000000001B2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000005.00000000.706602369.00000000002F2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000006.00000002.708267047.0000000000172000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000007.00000000.708875214.0000000000712000.00000002.00020000.sdmp Binary or memory string: INSERT INTO [cr_db] ([crno], [dept], [year], [sub], [topic], [facid], [qtot]) VALUES (@crno, @dept, @year, @sub, @topic, @facid, @qtot);
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.709902982.00000000001B2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000005.00000000.706602369.00000000002F2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000006.00000002.708267047.0000000000172000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000007.00000000.708875214.0000000000712000.00000002.00020000.sdmp Binary or memory string: UPDATE [dbo].[studentreg] SET [prno] = @prno, [fname] = @fname, [mname] = @mname, [lname] = @lname, [rollno] = @rollno, [year] = @year, [div] = @div, [contact] = @contact, [password] = @password, [age] = @age, [gender] = @gender, [regdate] = @regdate WHERE (([prno] = @Original_prno) AND ((@IsNull_fname = 1 AND [fname] IS NULL) OR ([fname] = @Original_fname)) AND ((@IsNull_mname = 1 AND [mname] IS NULL) OR ([mname] = @Original_mname)) AND ((@IsNull_lname = 1 AND [lname] IS NULL) OR ([lname] = @Original_lname)) AND ((@IsNull_rollno = 1 AND [rollno] IS NULL) OR ([rollno] = @Original_rollno)) AND ((@IsNull_year = 1 AND [year] IS NULL) OR ([year] = @Original_year)) AND ((@IsNull_div = 1 AND [div] IS NULL) OR ([div] = @Original_div)) AND ((@IsNull_contact = 1 AND [contact] IS NULL) OR ([contact] = @Original_contact)) AND ((@IsNull_password = 1 AND [password] IS NULL) OR ([password] = @Original_password)) AND ((@IsNull_age = 1 AND [age] IS NULL) OR ([age] = @Original_age)) AND ((@IsNull_gender = 1 AND [gender] IS NULL) OR ([gender] = @Original_gender)) AND ((@IsNull_regdate = 1 AND [regdate] IS NULL) OR ([regdate] = @Original_regdate)));
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.709902982.00000000001B2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000005.00000000.706602369.00000000002F2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000006.00000002.708267047.0000000000172000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000007.00000000.708875214.0000000000712000.00000002.00020000.sdmp Binary or memory string: INSERT INTO [dbo].[cr_db] ([crno], [dept], [year], [sub], [topic], [facid], [qtot]) VALUES (@crno, @dept, @year, @sub, @topic, @facid, @qtot);
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.709902982.00000000001B2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000005.00000000.706602369.00000000002F2000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000006.00000002.708267047.0000000000172000.00000002.00020000.sdmp, 10377 APT800_B0205K0384.exe, 00000007.00000000.708875214.0000000000712000.00000002.00020000.sdmp Binary or memory string: INSERT INTO [dbo].[studentreg] ([prno], [fname], [mname], [lname], [rollno], [year], [div], [contact], [password], [age], [gender], [regdate]) VALUES (@prno, @fname, @mname, @lname, @rollno, @year, @div, @contact, @password, @age, @gender, @regdate);
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_01
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Mutant created: \Sessions\1\BaseNamedObjects\ELAIITwngSefilReBsBJLauTa
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{9358a53f-433c-42f5-bd3f-14ae4da528cf}
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: 10377 APT800_B0205K0384.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 10377 APT800_B0205K0384.exe Static file information: File size 1583616 > 1048576
Source: 10377 APT800_B0205K0384.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 10377 APT800_B0205K0384.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x182000
Source: 10377 APT800_B0205K0384.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 10377 APT800_B0205K0384.exe, Login.cs .Net Code: Str_012 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_0255C202 push ds; retf 0_2_0255C209
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02551AE1 pushfd ; retf 0000h 0_2_02551AE2
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_02551AA9 pushfd ; retf 0000h 0_2_02551AAA
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_0255013C push ebx; iretd 0_2_0255014B
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_0255C9CD push ebx; ret 0_2_0255C9D4
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_025519F9 pushfd ; retf 0000h 0_2_025519FA
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_0255C18A pushfd ; retf 0_2_0255C18B
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 0_2_06D57B7B push ecx; ret 0_2_06D57B82
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B59EF0 push 0000006Fh; ret 7_2_02B59F17
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_02B59F18 push 0000006Fh; ret 7_2_02B59F17

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe File created: C:\Users\user\AppData\Roaming\xErAccEJcQLD.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xErAccEJcQLD' /XML 'C:\Users\user\AppData\Local\Temp\tmp1570.tmp'
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5640 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5640 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5640 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5640 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 3512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5292 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5292 Thread sleep count: 373 > 30 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5292 Thread sleep count: 834 > 30 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 3096 Thread sleep count: 304 > 30 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe TID: 5292 Thread sleep count: 286 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Window / User API: threadDelayed 373 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Window / User API: threadDelayed 834 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Window / User API: foregroundWindowGot 696 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05162206 GetSystemInfo, 7_2_05162206
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.710684503.0000000000918000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.711477717.00000000029D1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Memory written: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xErAccEJcQLD' /XML 'C:\Users\user\AppData\Local\Temp\tmp1570.tmp' Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Process created: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe {path} Jump to behavior
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929598143.0000000003149000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929015138.0000000001610000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929015138.0000000001610000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929015138.0000000001610000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929522587.0000000003104000.00000004.00000001.sdmp Binary or memory string: Program ManagertL

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: 10377 APT800_B0205K0384.exe, 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: 10377 APT800_B0205K0384.exe, 00000007.00000002.929204128.0000000002ED1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5620000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.5624629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1e3d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f229fd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3c8d590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.10377 APT800_B0205K0384.exe.3f1959e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.10377 APT800_B0205K0384.exe.3b67540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.930400215.0000000005620000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.713144984.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.927919186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.929668288.0000000003F17000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 10377 APT800_B0205K0384.exe PID: 3484, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05162362 bind, 7_2_05162362
Source: C:\Users\user\Desktop\10377 APT800_B0205K0384.exe Code function: 7_2_05162310 bind, 7_2_05162310
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492186 Sample: 10377 APT800_B0205K0384.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 32 mec.sytes.net 2->32 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 13 other signatures 2->44 8 10377 APT800_B0205K0384.exe 8 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\xErAccEJcQLD.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmp1570.tmp, XML 8->26 dropped 28 C:\Users\...\10377 APT800_B0205K0384.exe.log, ASCII 8->28 dropped 46 Injects a PE file into a foreign processes 8->46 12 10377 APT800_B0205K0384.exe 8 8->12         started        16 schtasks.exe 1 8->16         started        18 10377 APT800_B0205K0384.exe 8->18         started        20 10377 APT800_B0205K0384.exe 8->20         started        signatures6 process7 dnsIp8 34 mec.sytes.net 194.5.97.210, 3259, 49769, 49772 DANILENKODE Netherlands 12->34 36 192.168.2.1 unknown unknown 12->36 30 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 12->30 dropped 22 conhost.exe 16->22         started        file9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.97.210
 mec.sytes.net Netherlands
208476 DANILENKODE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
mec.sytes.net 194.5.97.210 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
mec.sytes.net true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown