Windows Analysis Report
triage_dropped_file

Overview

General Information

Sample Name: triage_dropped_file (renamed file extension from none to exe)
Analysis ID: 562157
MD5: f6eaacd1b39028130602ee0892e67663
SHA1: 12ba0b4e8c41ececa29814f9b64da351e5509fb0
SHA256: 1e144fefc15a6a2643674f01b3324e29b5320d45a16a081e8aad8a969712cb9d
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}
Multi AV Scanner detection for submitted file
Source: triage_dropped_file.exe Virustotal: Detection: 52% Perma Link
Source: triage_dropped_file.exe Metadefender: Detection: 21% Perma Link
Source: triage_dropped_file.exe ReversingLabs: Detection: 70%
Yara detected FormBook
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY Avira URL Cloud: Label: phishing
Source: http://www.inspectdecided.xyz/a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.hstolchsjybyl.com Virustotal: Detection: 8% Perma Link
Machine Learning detection for sample
Source: triage_dropped_file.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.triage_dropped_file.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.triage_dropped_file.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.triage_dropped_file.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.triage_dropped_file.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: triage_dropped_file.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: triage_dropped_file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\mNyEIdHepa\src\obj\Debug\UCOMITypeL.pdb source: triage_dropped_file.exe
Source: Binary string: netsh.pdb source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 4x nop then pop esi 5_2_004172FD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi 21_2_009972FD

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49811 -> 104.21.22.47:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49811 -> 104.21.22.47:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49811 -> 104.21.22.47:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49820 -> 81.17.29.148:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49820 -> 81.17.29.148:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49820 -> 81.17.29.148:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.22.47 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.inspectdecided.xyz
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fengyat.club
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.inspectdecided.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.hstolchsjybyl.com/a83r/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw HTTP/1.1Host: www.inspectdecided.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY HTTP/1.1Host: www.fengyat.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.7 188.114.96.7
Source: Joe Sandbox View IP Address: 188.114.96.7 188.114.96.7
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: netsh.exe, 00000015.00000002.508497222.0000000003C2F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU
Source: unknown DNS traffic detected: queries for: www.inspectdecided.xyz
Source: global traffic HTTP traffic detected: GET /a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw HTTP/1.1Host: www.inspectdecided.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY HTTP/1.1Host: www.fengyat.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: triage_dropped_file.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_0186C1D4 0_2_0186C1D4
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_0186E608 0_2_0186E608
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_0186E618 0_2_0186E618
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041E876 5_2_0041E876
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041E47F 5_2_0041E47F
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041DDBE 5_2_0041DDBE
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00409E5B 5_2_00409E5B
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00409E60 5_2_00409E60
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041E622 5_2_0041E622
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03302B28 21_2_03302B28
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325AB40 21_2_0325AB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326EBB0 21_2_0326EBB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F03DA 21_2_032F03DA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FDBD2 21_2_032FDBD2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032EFA2B 21_2_032EFA2B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_033022AE 21_2_033022AE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03254120 21_2_03254120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323F900 21_2_0323F900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330E824 21_2_0330E824
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A830 21_2_0325A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1002 21_2_032F1002
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_033020A8 21_2_033020A8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324B090 21_2_0324B090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_033028EC 21_2_033028EC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03301FF1 21_2_03301FF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330DFCE 21_2_0330DFCE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03256E30 21_2_03256E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FD616 21_2_032FD616
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03302EF7 21_2_03302EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03230D20 21_2_03230D20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03302D07 21_2_03302D07
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03301D55 21_2_03301D55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262581 21_2_03262581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324D5E0 21_2_0324D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_033025DD 21_2_033025DD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324841F 21_2_0324841F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FD466 21_2_032FD466
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099E876 21_2_0099E876
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099E47F 21_2_0099E47F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_00982D90 21_2_00982D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099DDB9 21_2_0099DDB9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099E622 21_2_0099E622
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_00989E5B 21_2_00989E5B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_00989E60 21_2_00989E60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_00982FB0 21_2_00982FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0323B150 appears 72 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041A370 NtCreateFile, 5_2_0041A370
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041A420 NtReadFile, 5_2_0041A420
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041A4A0 NtClose, 5_2_0041A4A0
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041A550 NtAllocateVirtualMemory, 5_2_0041A550
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041A41A NtReadFile, 5_2_0041A41A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279A50 NtCreateFile,LdrInitializeThunk, 21_2_03279A50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279910 NtAdjustPrivilegesToken,LdrInitializeThunk, 21_2_03279910
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032799A0 NtCreateSection,LdrInitializeThunk, 21_2_032799A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279860 NtQuerySystemInformation,LdrInitializeThunk, 21_2_03279860
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279840 NtDelayExecution,LdrInitializeThunk, 21_2_03279840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279710 NtQueryInformationToken,LdrInitializeThunk, 21_2_03279710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279780 NtMapViewOfSection,LdrInitializeThunk, 21_2_03279780
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279FE0 NtCreateMutant,LdrInitializeThunk, 21_2_03279FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032796E0 NtFreeVirtualMemory,LdrInitializeThunk, 21_2_032796E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032796D0 NtCreateKey,LdrInitializeThunk, 21_2_032796D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279540 NtReadFile,LdrInitializeThunk, 21_2_03279540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032795D0 NtClose,LdrInitializeThunk, 21_2_032795D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279B00 NtSetValueKey, 21_2_03279B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0327A3B0 NtGetContextThread, 21_2_0327A3B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279A20 NtResumeThread, 21_2_03279A20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279A00 NtProtectVirtualMemory, 21_2_03279A00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279A10 NtQuerySection, 21_2_03279A10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279A80 NtOpenDirectoryObject, 21_2_03279A80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279950 NtQueueApcThread, 21_2_03279950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032799D0 NtCreateProcessEx, 21_2_032799D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279820 NtEnumerateKey, 21_2_03279820
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0327B040 NtSuspendThread, 21_2_0327B040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032798A0 NtWriteVirtualMemory, 21_2_032798A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032798F0 NtReadVirtualMemory, 21_2_032798F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279730 NtQueryVirtualMemory, 21_2_03279730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0327A710 NtOpenProcessToken, 21_2_0327A710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279760 NtOpenProcess, 21_2_03279760
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0327A770 NtOpenThread, 21_2_0327A770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279770 NtSetInformationFile, 21_2_03279770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032797A0 NtUnmapViewOfSection, 21_2_032797A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279610 NtEnumerateValueKey, 21_2_03279610
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279660 NtAllocateVirtualMemory, 21_2_03279660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279670 NtQueryInformationProcess, 21_2_03279670
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279650 NtQueryValueKey, 21_2_03279650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279520 NtWaitForSingleObject, 21_2_03279520
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0327AD30 NtSetContextThread, 21_2_0327AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03279560 NtWriteFile, 21_2_03279560
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032795F0 NtQueryInformationFile, 21_2_032795F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099A370 NtCreateFile, 21_2_0099A370
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099A4A0 NtClose, 21_2_0099A4A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099A420 NtReadFile, 21_2_0099A420
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099A41A NtReadFile, 21_2_0099A41A
Sample file is different than original file name gathered from version info
Source: triage_dropped_file.exe, 00000000.00000002.283726954.0000000000F06000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUCOMITypeL.exe2 vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000000.00000002.288703731.00000000076B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000005.00000002.363758090.000000000179F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000005.00000000.281572749.0000000000A06000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUCOMITypeL.exe2 vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000005.00000002.364364787.000000000347C000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamenetsh.exej% vs triage_dropped_file.exe
Source: triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs triage_dropped_file.exe
Source: triage_dropped_file.exe Binary or memory string: OriginalFilenameUCOMITypeL.exe2 vs triage_dropped_file.exe
Source: triage_dropped_file.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: triage_dropped_file.exe Virustotal: Detection: 52%
Source: triage_dropped_file.exe Metadefender: Detection: 21%
Source: triage_dropped_file.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\triage_dropped_file.exe File read: C:\Users\user\Desktop\triage_dropped_file.exe:Zone.Identifier Jump to behavior
Source: triage_dropped_file.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\triage_dropped_file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\triage_dropped_file.exe "C:\Users\user\Desktop\triage_dropped_file.exe"
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process created: C:\Users\user\Desktop\triage_dropped_file.exe C:\Users\user\Desktop\triage_dropped_file.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process created: C:\Users\user\Desktop\triage_dropped_file.exe C:\Users\user\Desktop\triage_dropped_file.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\triage_dropped_file.exe" Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\triage_dropped_file.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@3/2
Source: C:\Users\user\Desktop\triage_dropped_file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: triage_dropped_file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: triage_dropped_file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: triage_dropped_file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\mNyEIdHepa\src\obj\Debug\UCOMITypeL.pdb source: triage_dropped_file.exe
Source: Binary string: netsh.pdb source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: triage_dropped_file.exe, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.triage_dropped_file.exe.ea0000.0.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.triage_dropped_file.exe.ea0000.0.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.triage_dropped_file.exe.9a0000.1.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.2.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.3.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.5.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.9.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.1.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.7.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.triage_dropped_file.exe.9a0000.0.unpack, Main.cs .Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041F074 push 0000003Ah; retf 5_2_0041F076
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041783E push 5B3B22F0h; retf 5_2_00417852
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041EA3B push E33F23DFh; ret 5_2_0041EA5E
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00416B72 push eax; retf 5_2_00416BE8
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041EC07 push 2AB056CEh; ret 5_2_0041ECC5
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041D4C5 push eax; ret 5_2_0041D518
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041ECC6 push 2AB056CEh; ret 5_2_0041ECC5
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041654F push esp; iretd 5_2_00416550
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041D57C push eax; ret 5_2_0041D582
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041D512 push eax; ret 5_2_0041D518
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041D51B push eax; ret 5_2_0041D582
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00416FF0 push edi; retf 5_2_0041700D
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0041A785 push esi; iretd 5_2_0041A786
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0328D0D1 push ecx; ret 21_2_0328D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099783E push 5B3B22F0h; retf 21_2_00997852
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099F074 push 0000003Ah; retf 21_2_0099F076
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099EA3B push E33F23DFh; ret 21_2_0099EA5E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_00996B72 push eax; retf 21_2_00996BE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099D4C5 push eax; ret 21_2_0099D518
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099ECC6 push 2AB056CEh; ret 21_2_0099ECC5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099EC07 push 2AB056CEh; ret 21_2_0099ECC5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099D51B push eax; ret 21_2_0099D582
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099D512 push eax; ret 21_2_0099D518
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099654F push esp; iretd 21_2_00996550
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099D57C push eax; ret 21_2_0099D582
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0099A785 push esi; iretd 21_2_0099A786
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_00996FF0 push edi; retf 21_2_0099700D
Source: initial sample Static PE information: section name: .text entropy: 7.82226086578

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\netsh.exe Process created: /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
Source: C:\Windows\SysWOW64\netsh.exe Process created: /c del "C:\Users\user\Desktop\triage_dropped_file.exe" Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.triage_dropped_file.exe.32b9d84.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.triage_dropped_file.exe.323d3bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: triage_dropped_file.exe PID: 3428, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: triage_dropped_file.exe, 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: triage_dropped_file.exe, 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\triage_dropped_file.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\triage_dropped_file.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000989904 second address: 000000000098990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000989B7E second address: 0000000000989B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\triage_dropped_file.exe TID: 2900 Thread sleep time: -39332s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe TID: 1388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\netsh.exe API coverage: 7.4 %
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Thread delayed: delay time: 39332 Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000C.00000000.296251998.000000000891C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000C.00000000.321089896.0000000003710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000C.00000000.304861001.0000000003767000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000C.00000000.348408544.00000000011B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000000C.00000000.313661366.00000000089B5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000C.00000000.321983274.00000000053C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000000C.00000000.313661366.00000000089B5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Enables debug privileges
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F131B mov eax, dword ptr fs:[00000030h] 21_2_032F131B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323DB60 mov ecx, dword ptr fs:[00000030h] 21_2_0323DB60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03263B7A mov eax, dword ptr fs:[00000030h] 21_2_03263B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03263B7A mov eax, dword ptr fs:[00000030h] 21_2_03263B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323DB40 mov eax, dword ptr fs:[00000030h] 21_2_0323DB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03308B58 mov eax, dword ptr fs:[00000030h] 21_2_03308B58
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323F358 mov eax, dword ptr fs:[00000030h] 21_2_0323F358
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03264BAD mov eax, dword ptr fs:[00000030h] 21_2_03264BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03264BAD mov eax, dword ptr fs:[00000030h] 21_2_03264BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03264BAD mov eax, dword ptr fs:[00000030h] 21_2_03264BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03305BA5 mov eax, dword ptr fs:[00000030h] 21_2_03305BA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F138A mov eax, dword ptr fs:[00000030h] 21_2_032F138A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03241B8F mov eax, dword ptr fs:[00000030h] 21_2_03241B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03241B8F mov eax, dword ptr fs:[00000030h] 21_2_03241B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032ED380 mov ecx, dword ptr fs:[00000030h] 21_2_032ED380
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262397 mov eax, dword ptr fs:[00000030h] 21_2_03262397
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326B390 mov eax, dword ptr fs:[00000030h] 21_2_0326B390
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h] 21_2_032603E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h] 21_2_032603E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h] 21_2_032603E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h] 21_2_032603E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h] 21_2_032603E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h] 21_2_032603E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325DBE9 mov eax, dword ptr fs:[00000030h] 21_2_0325DBE9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B53CA mov eax, dword ptr fs:[00000030h] 21_2_032B53CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B53CA mov eax, dword ptr fs:[00000030h] 21_2_032B53CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03274A2C mov eax, dword ptr fs:[00000030h] 21_2_03274A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03274A2C mov eax, dword ptr fs:[00000030h] 21_2_03274A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h] 21_2_0325A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03248A0A mov eax, dword ptr fs:[00000030h] 21_2_03248A0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03235210 mov eax, dword ptr fs:[00000030h] 21_2_03235210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03235210 mov ecx, dword ptr fs:[00000030h] 21_2_03235210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03235210 mov eax, dword ptr fs:[00000030h] 21_2_03235210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03235210 mov eax, dword ptr fs:[00000030h] 21_2_03235210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323AA16 mov eax, dword ptr fs:[00000030h] 21_2_0323AA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323AA16 mov eax, dword ptr fs:[00000030h] 21_2_0323AA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03253A1C mov eax, dword ptr fs:[00000030h] 21_2_03253A1C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FAA16 mov eax, dword ptr fs:[00000030h] 21_2_032FAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FAA16 mov eax, dword ptr fs:[00000030h] 21_2_032FAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032EB260 mov eax, dword ptr fs:[00000030h] 21_2_032EB260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032EB260 mov eax, dword ptr fs:[00000030h] 21_2_032EB260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03308A62 mov eax, dword ptr fs:[00000030h] 21_2_03308A62
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0327927A mov eax, dword ptr fs:[00000030h] 21_2_0327927A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239240 mov eax, dword ptr fs:[00000030h] 21_2_03239240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239240 mov eax, dword ptr fs:[00000030h] 21_2_03239240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239240 mov eax, dword ptr fs:[00000030h] 21_2_03239240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239240 mov eax, dword ptr fs:[00000030h] 21_2_03239240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FEA55 mov eax, dword ptr fs:[00000030h] 21_2_032FEA55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032C4257 mov eax, dword ptr fs:[00000030h] 21_2_032C4257
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h] 21_2_032352A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h] 21_2_032352A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h] 21_2_032352A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h] 21_2_032352A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h] 21_2_032352A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324AAB0 mov eax, dword ptr fs:[00000030h] 21_2_0324AAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324AAB0 mov eax, dword ptr fs:[00000030h] 21_2_0324AAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326FAB0 mov eax, dword ptr fs:[00000030h] 21_2_0326FAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326D294 mov eax, dword ptr fs:[00000030h] 21_2_0326D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326D294 mov eax, dword ptr fs:[00000030h] 21_2_0326D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262AE4 mov eax, dword ptr fs:[00000030h] 21_2_03262AE4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262ACB mov eax, dword ptr fs:[00000030h] 21_2_03262ACB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03254120 mov eax, dword ptr fs:[00000030h] 21_2_03254120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03254120 mov eax, dword ptr fs:[00000030h] 21_2_03254120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03254120 mov eax, dword ptr fs:[00000030h] 21_2_03254120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03254120 mov eax, dword ptr fs:[00000030h] 21_2_03254120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03254120 mov ecx, dword ptr fs:[00000030h] 21_2_03254120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326513A mov eax, dword ptr fs:[00000030h] 21_2_0326513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326513A mov eax, dword ptr fs:[00000030h] 21_2_0326513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239100 mov eax, dword ptr fs:[00000030h] 21_2_03239100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239100 mov eax, dword ptr fs:[00000030h] 21_2_03239100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239100 mov eax, dword ptr fs:[00000030h] 21_2_03239100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323C962 mov eax, dword ptr fs:[00000030h] 21_2_0323C962
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323B171 mov eax, dword ptr fs:[00000030h] 21_2_0323B171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323B171 mov eax, dword ptr fs:[00000030h] 21_2_0323B171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325B944 mov eax, dword ptr fs:[00000030h] 21_2_0325B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325B944 mov eax, dword ptr fs:[00000030h] 21_2_0325B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032661A0 mov eax, dword ptr fs:[00000030h] 21_2_032661A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032661A0 mov eax, dword ptr fs:[00000030h] 21_2_032661A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h] 21_2_032F49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h] 21_2_032F49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h] 21_2_032F49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h] 21_2_032F49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B69A6 mov eax, dword ptr fs:[00000030h] 21_2_032B69A6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h] 21_2_032B51BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h] 21_2_032B51BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h] 21_2_032B51BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h] 21_2_032B51BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov eax, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov eax, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov eax, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032599BF mov eax, dword ptr fs:[00000030h] 21_2_032599BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326A185 mov eax, dword ptr fs:[00000030h] 21_2_0326A185
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325C182 mov eax, dword ptr fs:[00000030h] 21_2_0325C182
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262990 mov eax, dword ptr fs:[00000030h] 21_2_03262990
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323B1E1 mov eax, dword ptr fs:[00000030h] 21_2_0323B1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323B1E1 mov eax, dword ptr fs:[00000030h] 21_2_0323B1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323B1E1 mov eax, dword ptr fs:[00000030h] 21_2_0323B1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032C41E8 mov eax, dword ptr fs:[00000030h] 21_2_032C41E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326002D mov eax, dword ptr fs:[00000030h] 21_2_0326002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326002D mov eax, dword ptr fs:[00000030h] 21_2_0326002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326002D mov eax, dword ptr fs:[00000030h] 21_2_0326002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326002D mov eax, dword ptr fs:[00000030h] 21_2_0326002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326002D mov eax, dword ptr fs:[00000030h] 21_2_0326002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h] 21_2_0324B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h] 21_2_0324B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h] 21_2_0324B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h] 21_2_0324B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h] 21_2_0325A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h] 21_2_0325A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h] 21_2_0325A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h] 21_2_0325A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03304015 mov eax, dword ptr fs:[00000030h] 21_2_03304015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03304015 mov eax, dword ptr fs:[00000030h] 21_2_03304015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B7016 mov eax, dword ptr fs:[00000030h] 21_2_032B7016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B7016 mov eax, dword ptr fs:[00000030h] 21_2_032B7016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B7016 mov eax, dword ptr fs:[00000030h] 21_2_032B7016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03301074 mov eax, dword ptr fs:[00000030h] 21_2_03301074
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F2073 mov eax, dword ptr fs:[00000030h] 21_2_032F2073
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03250050 mov eax, dword ptr fs:[00000030h] 21_2_03250050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03250050 mov eax, dword ptr fs:[00000030h] 21_2_03250050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h] 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h] 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h] 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h] 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h] 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h] 21_2_032620A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032790AF mov eax, dword ptr fs:[00000030h] 21_2_032790AF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326F0BF mov ecx, dword ptr fs:[00000030h] 21_2_0326F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326F0BF mov eax, dword ptr fs:[00000030h] 21_2_0326F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326F0BF mov eax, dword ptr fs:[00000030h] 21_2_0326F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03239080 mov eax, dword ptr fs:[00000030h] 21_2_03239080
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B3884 mov eax, dword ptr fs:[00000030h] 21_2_032B3884
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B3884 mov eax, dword ptr fs:[00000030h] 21_2_032B3884
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325B8E4 mov eax, dword ptr fs:[00000030h] 21_2_0325B8E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325B8E4 mov eax, dword ptr fs:[00000030h] 21_2_0325B8E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032340E1 mov eax, dword ptr fs:[00000030h] 21_2_032340E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032340E1 mov eax, dword ptr fs:[00000030h] 21_2_032340E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032340E1 mov eax, dword ptr fs:[00000030h] 21_2_032340E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032358EC mov eax, dword ptr fs:[00000030h] 21_2_032358EC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h] 21_2_032CB8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CB8D0 mov ecx, dword ptr fs:[00000030h] 21_2_032CB8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h] 21_2_032CB8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h] 21_2_032CB8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h] 21_2_032CB8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h] 21_2_032CB8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03234F2E mov eax, dword ptr fs:[00000030h] 21_2_03234F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03234F2E mov eax, dword ptr fs:[00000030h] 21_2_03234F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326E730 mov eax, dword ptr fs:[00000030h] 21_2_0326E730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325B73D mov eax, dword ptr fs:[00000030h] 21_2_0325B73D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325B73D mov eax, dword ptr fs:[00000030h] 21_2_0325B73D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326A70E mov eax, dword ptr fs:[00000030h] 21_2_0326A70E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326A70E mov eax, dword ptr fs:[00000030h] 21_2_0326A70E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325F716 mov eax, dword ptr fs:[00000030h] 21_2_0325F716
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CFF10 mov eax, dword ptr fs:[00000030h] 21_2_032CFF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CFF10 mov eax, dword ptr fs:[00000030h] 21_2_032CFF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330070D mov eax, dword ptr fs:[00000030h] 21_2_0330070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330070D mov eax, dword ptr fs:[00000030h] 21_2_0330070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324FF60 mov eax, dword ptr fs:[00000030h] 21_2_0324FF60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03308F6A mov eax, dword ptr fs:[00000030h] 21_2_03308F6A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324EF40 mov eax, dword ptr fs:[00000030h] 21_2_0324EF40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03248794 mov eax, dword ptr fs:[00000030h] 21_2_03248794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B7794 mov eax, dword ptr fs:[00000030h] 21_2_032B7794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B7794 mov eax, dword ptr fs:[00000030h] 21_2_032B7794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B7794 mov eax, dword ptr fs:[00000030h] 21_2_032B7794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032737F5 mov eax, dword ptr fs:[00000030h] 21_2_032737F5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323E620 mov eax, dword ptr fs:[00000030h] 21_2_0323E620
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032EFE3F mov eax, dword ptr fs:[00000030h] 21_2_032EFE3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323C600 mov eax, dword ptr fs:[00000030h] 21_2_0323C600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323C600 mov eax, dword ptr fs:[00000030h] 21_2_0323C600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323C600 mov eax, dword ptr fs:[00000030h] 21_2_0323C600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03268E00 mov eax, dword ptr fs:[00000030h] 21_2_03268E00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1608 mov eax, dword ptr fs:[00000030h] 21_2_032F1608
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326A61C mov eax, dword ptr fs:[00000030h] 21_2_0326A61C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326A61C mov eax, dword ptr fs:[00000030h] 21_2_0326A61C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324766D mov eax, dword ptr fs:[00000030h] 21_2_0324766D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h] 21_2_0325AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h] 21_2_0325AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h] 21_2_0325AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h] 21_2_0325AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h] 21_2_0325AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h] 21_2_03247E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h] 21_2_03247E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h] 21_2_03247E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h] 21_2_03247E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h] 21_2_03247E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h] 21_2_03247E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FAE44 mov eax, dword ptr fs:[00000030h] 21_2_032FAE44
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FAE44 mov eax, dword ptr fs:[00000030h] 21_2_032FAE44
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B46A7 mov eax, dword ptr fs:[00000030h] 21_2_032B46A7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03300EA5 mov eax, dword ptr fs:[00000030h] 21_2_03300EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03300EA5 mov eax, dword ptr fs:[00000030h] 21_2_03300EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03300EA5 mov eax, dword ptr fs:[00000030h] 21_2_03300EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CFE87 mov eax, dword ptr fs:[00000030h] 21_2_032CFE87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032616E0 mov ecx, dword ptr fs:[00000030h] 21_2_032616E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032476E2 mov eax, dword ptr fs:[00000030h] 21_2_032476E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03278EC7 mov eax, dword ptr fs:[00000030h] 21_2_03278EC7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03308ED6 mov eax, dword ptr fs:[00000030h] 21_2_03308ED6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032636CC mov eax, dword ptr fs:[00000030h] 21_2_032636CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032EFEC0 mov eax, dword ptr fs:[00000030h] 21_2_032EFEC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03308D34 mov eax, dword ptr fs:[00000030h] 21_2_03308D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h] 21_2_03243D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0323AD30 mov eax, dword ptr fs:[00000030h] 21_2_0323AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FE539 mov eax, dword ptr fs:[00000030h] 21_2_032FE539
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032BA537 mov eax, dword ptr fs:[00000030h] 21_2_032BA537
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03264D3B mov eax, dword ptr fs:[00000030h] 21_2_03264D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03264D3B mov eax, dword ptr fs:[00000030h] 21_2_03264D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03264D3B mov eax, dword ptr fs:[00000030h] 21_2_03264D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325C577 mov eax, dword ptr fs:[00000030h] 21_2_0325C577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325C577 mov eax, dword ptr fs:[00000030h] 21_2_0325C577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03273D43 mov eax, dword ptr fs:[00000030h] 21_2_03273D43
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B3540 mov eax, dword ptr fs:[00000030h] 21_2_032B3540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032E3D40 mov eax, dword ptr fs:[00000030h] 21_2_032E3D40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03257D50 mov eax, dword ptr fs:[00000030h] 21_2_03257D50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032635A1 mov eax, dword ptr fs:[00000030h] 21_2_032635A1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03261DB5 mov eax, dword ptr fs:[00000030h] 21_2_03261DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03261DB5 mov eax, dword ptr fs:[00000030h] 21_2_03261DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03261DB5 mov eax, dword ptr fs:[00000030h] 21_2_03261DB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_033005AC mov eax, dword ptr fs:[00000030h] 21_2_033005AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_033005AC mov eax, dword ptr fs:[00000030h] 21_2_033005AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262581 mov eax, dword ptr fs:[00000030h] 21_2_03262581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262581 mov eax, dword ptr fs:[00000030h] 21_2_03262581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262581 mov eax, dword ptr fs:[00000030h] 21_2_03262581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03262581 mov eax, dword ptr fs:[00000030h] 21_2_03262581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h] 21_2_03232D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h] 21_2_03232D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h] 21_2_03232D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h] 21_2_03232D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h] 21_2_03232D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326FD9B mov eax, dword ptr fs:[00000030h] 21_2_0326FD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326FD9B mov eax, dword ptr fs:[00000030h] 21_2_0326FD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324D5E0 mov eax, dword ptr fs:[00000030h] 21_2_0324D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324D5E0 mov eax, dword ptr fs:[00000030h] 21_2_0324D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h] 21_2_032FFDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h] 21_2_032FFDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h] 21_2_032FFDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h] 21_2_032FFDE2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032E8DF1 mov eax, dword ptr fs:[00000030h] 21_2_032E8DF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h] 21_2_032B6DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h] 21_2_032B6DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h] 21_2_032B6DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6DC9 mov ecx, dword ptr fs:[00000030h] 21_2_032B6DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h] 21_2_032B6DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h] 21_2_032B6DC9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326BC2C mov eax, dword ptr fs:[00000030h] 21_2_0326BC2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h] 21_2_032B6C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h] 21_2_032B6C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h] 21_2_032B6C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h] 21_2_032B6C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h] 21_2_032F1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330740D mov eax, dword ptr fs:[00000030h] 21_2_0330740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330740D mov eax, dword ptr fs:[00000030h] 21_2_0330740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0330740D mov eax, dword ptr fs:[00000030h] 21_2_0330740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0325746D mov eax, dword ptr fs:[00000030h] 21_2_0325746D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0326A44B mov eax, dword ptr fs:[00000030h] 21_2_0326A44B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CC450 mov eax, dword ptr fs:[00000030h] 21_2_032CC450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032CC450 mov eax, dword ptr fs:[00000030h] 21_2_032CC450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_0324849B mov eax, dword ptr fs:[00000030h] 21_2_0324849B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032F14FB mov eax, dword ptr fs:[00000030h] 21_2_032F14FB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6CF0 mov eax, dword ptr fs:[00000030h] 21_2_032B6CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6CF0 mov eax, dword ptr fs:[00000030h] 21_2_032B6CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_032B6CF0 mov eax, dword ptr fs:[00000030h] 21_2_032B6CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 21_2_03308CD6 mov eax, dword ptr fs:[00000030h] 21_2_03308CD6
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 5_2_0040ACF0 LdrLoadDll, 5_2_0040ACF0
Source: C:\Users\user\Desktop\triage_dropped_file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.21.22.47 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.inspectdecided.xyz
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fengyat.club
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\triage_dropped_file.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 11F0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\triage_dropped_file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\triage_dropped_file.exe Memory written: C:\Users\user\Desktop\triage_dropped_file.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process created: C:\Users\user\Desktop\triage_dropped_file.exe C:\Users\user\Desktop\triage_dropped_file.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\triage_dropped_file.exe" Jump to behavior
Source: explorer.exe, 0000000C.00000000.323379874.0000000005EA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.296362261.00000000089FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.326748395.00000000089FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.313706142.00000000089FF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000C.00000000.287389858.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.319675230.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.348327898.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.302787668.0000000001128000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Users\user\Desktop\triage_dropped_file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562157 Sample: triage_dropped_file Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 33 www.hstolchsjybyl.com 2->33 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 9 other signatures 2->45 11 triage_dropped_file.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\triage_dropped_file.exe.log, ASCII 11->31 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 triage_dropped_file.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.inspectdecided.xyz 104.21.22.47, 49811, 80 CLOUDFLARENETUS United States 18->35 37 www.fengyat.club 188.114.96.7, 49818, 80 CLOUDFLARENETUS European Union 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Performs DNS queries to domains with low reputation 18->49 51 Uses netsh to modify the Windows network and firewall settings 18->51 22 netsh.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.7
 www.fengyat.club European Union
13335 CLOUDFLARENETUS true
104.21.22.47
 www.inspectdecided.xyz United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.fengyat.club 188.114.96.7 true
www.inspectdecided.xyz 104.21.22.47 true
www.hstolchsjybyl.com 81.17.29.148 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY true
  • Avira URL Cloud: phishing
 unknown
http://www.inspectdecided.xyz/a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw true
  • Avira URL Cloud: malware
 unknown
www.hstolchsjybyl.com/a83r/ true
  • Avira URL Cloud: safe
 low