Windows Analysis Report
t40mINaB76.exe

Overview

General Information

Sample Name: t40mINaB76.exe
Analysis ID: 652384
MD5: 245ec1208ca48e276c460411f78c1709
SHA1: d11e01fe9082690cfedbdd60dcb720dc3cc31b50
SHA256: 4f226448711ce98504aa05d3ebdec11f518aa583f58d21b44869912b039a5bb7
Tags: exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: t40mINaB76.exe Virustotal: Detection: 35% Perma Link
Source: t40mINaB76.exe ReversingLabs: Detection: 53%
Machine Learning detection for sample
Source: t40mINaB76.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.t40mINaB76.exe.400000.6.unpack Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.10.unpack Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.4.unpack Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.8.unpack Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.12.unpack Avira: Label: TR/ATRAPS.Gen
Source: 3.2.t40mINaB76.exe.400000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 3.0.t40mINaB76.exe.400000.6.unpack Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "arinzelog@valete.buzz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "arinze@valete.buzz"}
Uses 32bit PE files
Source: t40mINaB76.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: t40mINaB76.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B4F539h 3_2_02B4F280
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B47507h 3_2_02B47200
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B48687h 3_2_02B483C9
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B4FDE9h 3_2_02B4FB30
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B47DC7h 3_2_02B47B08
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B463D1h 3_2_02B46111
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B47967h 3_2_02B476A8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B46B10h 3_2_02B466F8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B4F991h 3_2_02B4F6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B4F0E1h 3_2_02B4EE28
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B48227h 3_2_02B47F68
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B4EC8Ah 3_2_02B4E758
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B45F70h 3_2_02B45587
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02B452BC
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02B44AA8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B46B10h 3_2_02B46A3E
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_02B450DB
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 02B46B10h 3_2_02B466E8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 063762E1h 3_2_06376038
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637FAE1h 3_2_0637F838
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 063748D1h 3_2_06374628
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637E0A9h 3_2_0637DE00
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06373319h 3_2_06373070
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06377CF1h 3_2_06377A48
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06378149h 3_2_06377EA0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06376739h 3_2_06376490
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06374D29h 3_2_06374A80
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637E529h 3_2_0637E280
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 063785A1h 3_2_063782F8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06376B91h 3_2_063768E8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06375181h 3_2_06374ED8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637E981h 3_2_0637E6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06373771h 3_2_063734C8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 063755D9h 3_2_06375330
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637EDD9h 3_2_0637EB30
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06373BC9h 3_2_06373920
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06374021h 3_2_06373D78
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 063789F9h 3_2_06378750
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06376FE9h 3_2_06376D40
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06377441h 3_2_06377198
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06375A31h 3_2_06375788
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637F231h 3_2_0637EF88
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06377899h 3_2_063775F0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06375E89h 3_2_06375BE0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 0637F689h 3_2_0637F3E0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then jmp 06374479h 3_2_063741D0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0637C020
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0637C00F
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0637C336

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.7:49776 -> 132.226.8.169:80
May check the online IP address of the machine
Source: C:\Users\user\Desktop\t40mINaB76.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\t40mINaB76.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\t40mINaB76.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\t40mINaB76.exe DNS query: name: checkip.dyndns.org
Yara detected Generic Downloader
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UTMEMUS UTMEMUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: t40mINaB76.exe, 00000003.00000002.618270110.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: t40mINaB76.exe, 00000003.00000002.618270110.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000002.618229556.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: t40mINaB76.exe, 00000003.00000002.618024955.0000000002D41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: t40mINaB76.exe, 00000003.00000002.618229556.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org4fk0
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: t40mINaB76.exe, 00000003.00000002.618024955.0000000002D41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: t40mINaB76.exe, 00000000.00000003.354043115.00000000056FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: t40mINaB76.exe, 00000000.00000003.352500439.00000000056F3000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353409000.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353721307.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.353001018.00000000056F7000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.354043115.00000000056FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comily
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: t40mINaB76.exe, 00000000.00000003.351635075.0000000005704000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: t40mINaB76.exe, 00000000.00000003.355217285.000000000570E000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.355125365.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlo
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: t40mINaB76.exe, 00000000.00000002.383796685.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: t40mINaB76.exe, 00000000.00000002.383796685.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.come.coma
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: t40mINaB76.exe, 00000000.00000003.351157043.0000000005701000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.351002112.0000000005700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.357659176.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: t40mINaB76.exe, 00000000.00000002.389854976.0000000006902000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000003.351452161.0000000005704000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: t40mINaB76.exe String found in binary or memory: https://picsum.photos/80
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Uses 32bit PE files
Source: t40mINaB76.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Detected potential crypto function
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_00EAF882 0_2_00EAF882
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4F280 3_2_02B4F280
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B47200 3_2_02B47200
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B46B88 3_2_02B46B88
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B483C9 3_2_02B483C9
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4FB30 3_2_02B4FB30
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B47B08 3_2_02B47B08
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B46111 3_2_02B46111
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B476A8 3_2_02B476A8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4F6D8 3_2_02B4F6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4EE28 3_2_02B4EE28
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B47F68 3_2_02B47F68
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4E758 3_2_02B4E758
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4A45A 3_2_02B4A45A
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B45587 3_2_02B45587
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B44AA8 3_2_02B44AA8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B44A98 3_2_02B44A98
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B47248 3_2_02B47248
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B46B78 3_2_02B46B78
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4DFE0 3_2_02B4DFE0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B4DFD0 3_2_02B4DFD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06376038 3_2_06376038
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637F838 3_2_0637F838
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06374628 3_2_06374628
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637DE00 3_2_0637DE00
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06373070 3_2_06373070
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06370040 3_2_06370040
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06377A48 3_2_06377A48
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06377EA0 3_2_06377EA0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06376490 3_2_06376490
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637D098 3_2_0637D098
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06374A80 3_2_06374A80
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637E280 3_2_0637E280
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063782F8 3_2_063782F8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063768E8 3_2_063768E8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06374ED8 3_2_06374ED8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637E6D8 3_2_0637E6D8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063734C8 3_2_063734C8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06375330 3_2_06375330
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637EB30 3_2_0637EB30
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06373920 3_2_06373920
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637B770 3_2_0637B770
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06373D78 3_2_06373D78
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06378750 3_2_06378750
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06376D40 3_2_06376D40
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06378BA8 3_2_06378BA8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06377198 3_2_06377198
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637C398 3_2_0637C398
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06375788 3_2_06375788
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637EF88 3_2_0637EF88
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063775F0 3_2_063775F0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06375BE0 3_2_06375BE0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637F3E0 3_2_0637F3E0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063741D0 3_2_063741D0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06377A3A 3_2_06377A3A
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637C020 3_2_0637C020
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06376028 3_2_06376028
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637F828 3_2_0637F828
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06374619 3_2_06374619
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06370006 3_2_06370006
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637C00F 3_2_0637C00F
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06374A70 3_2_06374A70
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06373062 3_2_06373062
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063734B8 3_2_063734B8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06377E90 3_2_06377E90
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06376482 3_2_06376482
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063782E8 3_2_063782E8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063768D8 3_2_063768D8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637B6C9 3_2_0637B6C9
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06374EC8 3_2_06374EC8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637E6C8 3_2_0637E6C8
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06376D36 3_2_06376D36
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06375321 3_2_06375321
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637EB20 3_2_0637EB20
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06373910 3_2_06373910
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637EF79 3_2_0637EF79
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06375778 3_2_06375778
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06373D68 3_2_06373D68
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06378741 3_2_06378741
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06377188 3_2_06377188
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637DDF0 3_2_0637DDF0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063775E0 3_2_063775E0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_06375BD0 3_2_06375BD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_0637F3D0 3_2_0637F3D0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_063741C0 3_2_063741C0
Sample file is different than original file name gathered from version info
Source: t40mINaB76.exe Binary or memory string: OriginalFilename vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.390847193.0000000007170000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.390556341.0000000006F10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCloneHelper.dll4 vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000000.00000002.390577870.0000000006F30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNativeVariant.dll" vs t40mINaB76.exe
Source: t40mINaB76.exe Binary or memory string: OriginalFilename vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000003.00000000.368971564.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs t40mINaB76.exe
Source: t40mINaB76.exe, 00000003.00000002.617356854.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs t40mINaB76.exe
Source: t40mINaB76.exe Binary or memory string: OriginalFilenameIMap.exe> vs t40mINaB76.exe
Source: t40mINaB76.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: t40mINaB76.exe Virustotal: Detection: 35%
Source: t40mINaB76.exe ReversingLabs: Detection: 53%
Source: t40mINaB76.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\t40mINaB76.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\t40mINaB76.exe "C:\Users\user\Desktop\t40mINaB76.exe"
Source: C:\Users\user\Desktop\t40mINaB76.exe Process created: C:\Users\user\Desktop\t40mINaB76.exe C:\Users\user\Desktop\t40mINaB76.exe
Source: C:\Users\user\Desktop\t40mINaB76.exe Process created: C:\Users\user\Desktop\t40mINaB76.exe C:\Users\user\Desktop\t40mINaB76.exe Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\t40mINaB76.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
Source: t40mINaB76.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\t40mINaB76.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: t40mINaB76.exe, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.t40mINaB76.exe.9b0000.3.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.t40mINaB76.exe.9b0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.t40mINaB76.exe.400000.6.unpack, u26ca?u060cufffd?/ufffdK??ufffd.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: C:\Users\user\Desktop\t40mINaB76.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: t40mINaB76.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: t40mINaB76.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: t40mINaB76.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: t40mINaB76.exe, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.t40mINaB76.exe.3a0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.3.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.0.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.13.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.2.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.11.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.t40mINaB76.exe.9b0000.1.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.1.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.7.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.t40mINaB76.exe.9b0000.5.unpack, B20_Ex05_Din_312526551_Omer_312273493/FormMemoryGameSettings.cs .Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1C4A push dword ptr [edx]; retf 0_2_003B1C84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1E44 push dword ptr [edx]; retf 0_2_003B1E84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1C85 push dword ptr [eax]; retf 0_2_003B1C8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1A85 push dword ptr [eax]; retf 0_2_003B1A8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1E85 push dword ptr [eax]; retf 0_2_003B1E8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1ACD push ds; retf 0_2_003B1AD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1CCD push ds; retf 0_2_003B1CD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1ECD push ds; retf 0_2_003B1ED0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1B3E push dword ptr [edx]; retf 0_2_003B1B84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1936 push dword ptr [edx]; retf 0_2_003B1984
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1D4F push dword ptr [edx]; retf 0_2_003B1D84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1F4E push dword ptr [edx]; retf 0_2_003B1F84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1B85 push dword ptr [eax]; retf 0_2_003B1B8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1985 push dword ptr [eax]; retf 0_2_003B198C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1D85 push dword ptr [eax]; retf 0_2_003B1D8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1F85 push dword ptr [eax]; retf 0_2_003B1F8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B19E0 push dword ptr [edx]; retf 0_2_003B1A84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1BCD push ds; retf 0_2_003B1BD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B19CD push ds; retf 0_2_003B19D0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1DCD push ds; retf 0_2_003B1DD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 0_2_003B1FCD push ds; retf 0_2_003B1FD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1C85 push dword ptr [eax]; retf 3_2_009C1C8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1CCD push ds; retf 3_2_009C1CD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1C4A push dword ptr [edx]; retf 3_2_009C1C84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1985 push dword ptr [eax]; retf 3_2_009C198C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1D85 push dword ptr [eax]; retf 3_2_009C1D8C
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1DCD push ds; retf 3_2_009C1DD0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C19CD push ds; retf 3_2_009C19D0
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C19E0 push dword ptr [edx]; retf 3_2_009C1A84
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1936 push dword ptr [edx]; retf 3_2_009C1984
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_009C1D4F push dword ptr [edx]; retf 3_2_009C1D84
Binary contains a suspicious time stamp
Source: t40mINaB76.exe Static PE information: 0xF6D13CCD [Tue Mar 22 04:08:45 2101 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.873493921273272
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: t40mINaB76.exe, 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: t40mINaB76.exe, 00000000.00000002.384331004.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\t40mINaB76.exe TID: 6216 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\t40mINaB76.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: t40mINaB76.exe, 00000000.00000002.384566708.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\t40mINaB76.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\t40mINaB76.exe Code function: 3_2_02B46B88 LdrInitializeThunk, 3_2_02B46B88
Source: C:\Users\user\Desktop\t40mINaB76.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 3.0.t40mINaB76.exe.400000.6.unpack, ufffdudb0audf1au07b8?/?????.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.6.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.10.unpack, ufffdudb0audf1au07b8?/?????.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.10.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.4.unpack, ufffdudb0audf1au07b8?/?????.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.4.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.8.unpack, ufffdudb0audf1au07b8?/?????.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.8.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 3.0.t40mINaB76.exe.400000.12.unpack, ufffdudb0audf1au07b8?/?????.cs Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 3.0.t40mINaB76.exe.400000.12.unpack, ?ufffdWu02e8ufffd/??Ru07b4?.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\t40mINaB76.exe Memory written: C:\Users\user\Desktop\t40mINaB76.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\t40mINaB76.exe Process created: C:\Users\user\Desktop\t40mINaB76.exe C:\Users\user\Desktop\t40mINaB76.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Users\user\Desktop\t40mINaB76.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Users\user\Desktop\t40mINaB76.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\t40mINaB76.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\t40mINaB76.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\t40mINaB76.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\t40mINaB76.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.t40mINaB76.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.t40mINaB76.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c7aed0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c9d170.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t40mINaB76.exe.3c162b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.369389708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.368941333.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367162385.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616880091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.367916030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.388217387.0000000003C16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: t40mINaB76.exe PID: 6256, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652384 Sample: t40mINaB76.exe Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 20 Snort IDS alert for network traffic 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 8 other signatures 2->26 6 t40mINaB76.exe 3 2->6         started        process3 file4 14 C:\Users\user\AppData\...\t40mINaB76.exe.log, ASCII 6->14 dropped 28 May check the online IP address of the machine 6->28 30 Injects a PE file into a foreign processes 6->30 10 t40mINaB76.exe 15 2 6->10         started        signatures5 process6 dnsIp7 16 checkip.dyndns.com 132.226.8.169, 49776, 80 UTMEMUS United States 10->16 18 checkip.dyndns.org 10->18 32 Tries to steal Mail credentials (via file / registry access) 10->32 34 Tries to harvest and steal ftp login credentials 10->34 36 Tries to harvest and steal browser information (history, passwords, etc) 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS true

Contacted Domains

Name IP Active
a-0019.standard.a-msedge.net 204.79.197.222 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ true
  • URL Reputation: safe
 unknown