Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 756297
MD5: cfc1c66cba07daef1e8ac13d5e042e7a
SHA1: 10451947894a7af9a06adc619179e00e933fb20a
SHA256: addc1564d69b115e0cb5ff2264614c98dc51107f042e3ea0d93b99e49cf2e94b
Tags: NETexeMSILSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: file.exe ReversingLabs: Detection: 37%
Source: file.exe Virustotal: Detection: 25% Perma Link
Source: file.exe Avira: detected
Source: file.exe Joe Sandbox ML: detected
Source: 3.0.file.exe.400000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "arinzelog@saonline.xyz", "Password": "7213575aceACE@#$", "Host": "cp5ua.hyperhost.ua", "Port": "587"}
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0164F851h 3_2_0164F321
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 01648597h 3_2_016482D8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 016489F7h 3_2_01648738
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0164FCA9h 3_2_0164F9F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 01647CD7h 3_2_016479A8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 01648E57h 3_2_01648B98
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 01646D19h 3_2_01646A59
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 016468A2h 3_2_01645DB7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 01648137h 3_2_01647E78
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 016472E0h 3_2_01646EC8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 016472E0h 3_2_0164720E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_016452D8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 016472E0h 3_2_01646EB9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06727CF1h 3_2_06727A48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 067248D1h 3_2_06724628
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672DCA9h 3_2_0672DA00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 067285A1h 3_2_067282F8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06725181h 3_2_06724ED8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672E581h 3_2_0672E2D8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06728149h 3_2_06727EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06724D29h 3_2_06724A80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672E129h 3_2_0672DE80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 067289F9h 3_2_06728750
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 067255D9h 3_2_06725330
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672E9D9h 3_2_0672E730
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06725E89h 3_2_06725BE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672F289h 3_2_0672EFE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06725A31h 3_2_06725788
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672EE31h 3_2_0672EB88
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06723319h 3_2_06723070
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 067262E1h 3_2_06726038
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672F6E1h 3_2_0672F438
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06726B91h 3_2_067268E8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06723771h 3_2_067234C8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0672FB62h 3_2_0672F8B8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06726739h 3_2_06726490
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06724021h 3_2_06723D78
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06726FE9h 3_2_06726D40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06723BC9h 3_2_06723920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06727899h 3_2_067275F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06724479h 3_2_067241D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06727441h 3_2_06727198
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0672BF36
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0672BC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0672BC13

Networking

barindex
Source: Traffic Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.4:49696 -> 193.122.130.0:80
Source: C:\Users\user\Desktop\file.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: checkip.dyndns.org
Source: Yara match File source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE
Source: Joe Sandbox View ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: file.exe, 00000003.00000002.588227793.0000000003222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: file.exe, 00000003.00000002.588190939.0000000003216000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.588227793.0000000003222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: file.exe, 00000003.00000002.587378130.0000000003181000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: file.exe, 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: file.exe, 00000003.00000002.588190939.0000000003216000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org4
Source: file.exe, 00000000.00000003.321085020.0000000005DFC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: file.exe, 00000003.00000002.587378130.0000000003181000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322654693.0000000005DE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: file.exe, 00000000.00000003.323222872.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323273225.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323456584.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323165080.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.come
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000003.323222872.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323273225.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323456584.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322849771.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323165080.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: file.exe, 00000000.00000003.323222872.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323273225.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323456584.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323165080.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comt
Source: file.exe, 00000000.00000003.323273225.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comuctP
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.357757128.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: file.exe, 00000000.00000003.328186440.0000000005DED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: file.exe, 00000000.00000003.326503329.0000000005DEA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327161655.0000000005DEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers&
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file.exe, 00000000.00000003.327948700.0000000005DED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: file.exe, 00000000.00000003.328017976.0000000005DED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.327948700.0000000005DED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: file.exe, 00000000.00000003.327061644.0000000005DEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlh
Source: file.exe, 00000000.00000003.325835624.0000000005DE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/h
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: file.exe, 00000000.00000003.328259813.0000000005DED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersR
Source: file.exe, 00000000.00000003.357757128.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comoitu
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: file.exe, 00000000.00000003.322004645.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322040067.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: file.exe, 00000000.00000003.322190648.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file.exe, 00000000.00000003.322190648.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn9)z
Source: file.exe, 00000000.00000003.322004645.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322247274.0000000005DDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn_
Source: file.exe, 00000000.00000003.322004645.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-uAofz
Source: file.exe, 00000000.00000003.331690866.0000000005DE7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331745202.0000000005DE8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331466240.0000000005DE5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331580926.0000000005DE7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331524670.0000000005DE5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331820779.0000000005DE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file.exe, 00000000.00000003.331573813.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332017649.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331737193.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331448993.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331935801.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331515934.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332325766.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331681925.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.331804071.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332125875.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.332245431.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: file.exe, 00000000.00000003.338369032.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.338650954.0000000005DF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323570476.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323578756.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322410540.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323642134.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322390325.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323539855.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322437371.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: file.exe, 00000000.00000003.322314879.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com#
Source: file.exe, 00000000.00000003.322410540.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322390325.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comn
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: file.exe, 00000000.00000003.325630110.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325677616.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: file.exe, 00000000.00000003.325755043.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325630110.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325677616.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de2
Source: file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: file.exe, 00000000.00000003.325630110.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325677616.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.dew
Source: file.exe, 00000000.00000003.325630110.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.325677616.0000000005DDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.dewa
Source: file.exe, 00000000.00000003.323222872.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323273225.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323456584.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322784264.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.372638789.0000000006FE2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322849771.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322819666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323165080.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, 00000000.00000003.322784264.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322849771.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322819666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cne
Source: file.exe, 00000000.00000003.323222872.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323273225.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323456584.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322784264.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322849771.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.322819666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323165080.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.323364666.0000000005DFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnmd
Source: file.exe, 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

barindex
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02F4F650 0_2_02F4F650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02F4C1F4 0_2_02F4C1F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02F4E650 0_2_02F4E650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02F4E642 0_2_02F4E642
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0164B020 3_2_0164B020
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_016430F2 3_2_016430F2
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01647358 3_2_01647358
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0164F321 3_2_0164F321
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_016482D8 3_2_016482D8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01648738 3_2_01648738
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0164F9F0 3_2_0164F9F0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_016479A8 3_2_016479A8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01648B98 3_2_01648B98
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01646A59 3_2_01646A59
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01645DB7 3_2_01645DB7
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01647E78 3_2_01647E78
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01647349 3_2_01647349
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_016452C7 3_2_016452C7
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_016452D8 3_2_016452D8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0164EBA8 3_2_0164EBA8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0164EB98 3_2_0164EB98
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06727A48 3_2_06727A48
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06724628 3_2_06724628
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672DA00 3_2_0672DA00
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067282F8 3_2_067282F8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06724ED8 3_2_06724ED8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672E2D8 3_2_0672E2D8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06727EA0 3_2_06727EA0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06724A80 3_2_06724A80
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672DE80 3_2_0672DE80
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672B370 3_2_0672B370
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06728750 3_2_06728750
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06725330 3_2_06725330
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672E730 3_2_0672E730
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06725BE0 3_2_06725BE0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672EFE0 3_2_0672EFE0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06728BA8 3_2_06728BA8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672BF98 3_2_0672BF98
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06725788 3_2_06725788
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672EB88 3_2_0672EB88
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06723070 3_2_06723070
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06720040 3_2_06720040
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06726038 3_2_06726038
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672F438 3_2_0672F438
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067268E8 3_2_067268E8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067234C8 3_2_067234C8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672F8B8 3_2_0672F8B8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06726490 3_2_06726490
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672CC98 3_2_0672CC98
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06723D78 3_2_06723D78
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06726D40 3_2_06726D40
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06723920 3_2_06723920
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067275F0 3_2_067275F0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067241D0 3_2_067241D0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06727198 3_2_06727198
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06724A72 3_2_06724A72
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672DE70 3_2_0672DE70
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06727A38 3_2_06727A38
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06724619 3_2_06724619
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067282F4 3_2_067282F4
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672B2CB 3_2_0672B2CB
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06724EC8 3_2_06724EC8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672E2C8 3_2_0672E2C8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06727E91 3_2_06727E91
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672577B 3_2_0672577B
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672EB78 3_2_0672EB78
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06728740 3_2_06728740
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672E723 3_2_0672E723
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06725320 3_2_06725320
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06725BD0 3_2_06725BD0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672EFD1 3_2_0672EFD1
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06728B98 3_2_06728B98
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06723060 3_2_06723060
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672BC20 3_2_0672BC20
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672602A 3_2_0672602A
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672F429 3_2_0672F429
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672BC13 3_2_0672BC13
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06720007 3_2_06720007
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067268DA 3_2_067268DA
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067234B8 3_2_067234B8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672F8A8 3_2_0672F8A8
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06726481 3_2_06726481
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672CC88 3_2_0672CC88
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06723D69 3_2_06723D69
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06726D30 3_2_06726D30
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06723910 3_2_06723910
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672D9F0 3_2_0672D9F0
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067275E2 3_2_067275E2
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_067241C3 3_2_067241C3
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_06727188 3_2_06727188
Source: file.exe, 00000000.00000002.360238493.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrecision.dll6 vs file.exe
Source: file.exe, 00000000.00000002.360238493.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInspector.dllN vs file.exe
Source: file.exe, 00000000.00000002.360238493.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs file.exe
Source: file.exe, 00000000.00000000.316505384.0000000000B5A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexjjr.exe6 vs file.exe
Source: file.exe, 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs file.exe
Source: file.exe, 00000000.00000002.375544869.0000000007740000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs file.exe
Source: file.exe, 00000000.00000002.375282903.0000000007530000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameInspector.dllN vs file.exe
Source: file.exe, 00000000.00000002.368144069.00000000041CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs file.exe
Source: file.exe, 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs file.exe
Source: file.exe, 00000003.00000002.585023334.0000000000FC7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
Source: file.exe, 00000003.00000000.356676715.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamexjjr.exe6 vs file.exe
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe ReversingLabs: Detection: 37%
Source: file.exe Virustotal: Detection: 25%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x364
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/1@2/2
Source: file.exe, 00000003.00000002.588422652.0000000003274000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.588463806.0000000003280000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000003.00000002.588794821.00000000041FC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 3.0.file.exe.400000.0.unpack, ?u060cufffd??/ufffd?ufffd??.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3.0.file.exe.400000.0.unpack, ??u00be?u05c3/?????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.0.file.exe.400000.0.unpack, ??u00be?u05c3/?????.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

barindex
Source: file.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.file.exe.aa0000.0.unpack, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_0672A3CB push esp; ret 3_2_0672A3D5
Source: file.exe Static PE information: 0xA1D69E9C [Sat Jan 15 21:24:44 2056 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.516664543280966
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR
Source: file.exe, 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: file.exe, 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: C:\Users\user\Desktop\file.exe TID: 2024 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5308 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: file.exe, 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file.exe, 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: file.exe, 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: file.exe, 00000000.00000002.365680487.0000000003439000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 3_2_01647358 LdrInitializeThunk, 3_2_01647358
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 3.0.file.exe.400000.0.unpack, ??u00be?u05c3/?????.cs Reference to suspicious API methods: ('???m?', 'MapVirtualKey@user32.dll')
Source: 3.0.file.exe.400000.0.unpack, u05c9??m?/ufffd?u060c?u26ca.cs Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: Yara match File source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: 0.2.file.exe.416fa10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44a67c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.416fa10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.367556703.0000000004135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.356501796.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.370182647.000000000445D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5260, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs