Windows Analysis Report
app.exe

Overview

General Information

Sample name: app.exe
Analysis ID: 1436386
MD5: 75b9ef9142a78671d449c8d22ab6be14
SHA1: 0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256: e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Contains functionality to infect the boot sector
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Self deletion via cmd or bat file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: app.exe Virustotal: Detection: 11% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: app.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D04D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue, 0_2_025D04D0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D04C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom, 0_2_025D04C0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A04D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue, 3_2_025A04D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0255EB69 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,ReadFile,ReadFile,CloseHandle,HeapFree,HeapFree,ReadFile,ReadFile,CryptUnprotectData,CryptUnprotectData,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,ReadFile,ReadFile,HeapFree,ReadFile,ReadFile,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,ReadFile,ReadFile,GetLastError,HeapFree,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree, 3_2_0255EB69
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A04C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom, 3_2_025A04C0

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\app.exe Unpacked PE file: 0.2.app.exe.2560000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Unpacked PE file: 3.2.app.exe.2530000.2.unpack
Uses 32bit PE files
Source: app.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.20:49788 version: TLS 1.2
Source: Binary string: SRLPR.pdBf source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: grabg::C:\\Users\\user\\Desktop\\GQSZOBXUFX\\RMDIWSRLPR.pdBfGbodyFUk1ESVdTU source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GQSZOBXUFX\\RMDIWSRLPR.pdBfIbodyHUk1ESVdTU source: app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00427361 GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00427361
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025CA710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree, 0_2_025CA710
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025E4B93 FindFirstFileExW, 0_2_025E4B93
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0259A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree, 3_2_0259A710
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0259FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree, 3_2_0259FEC0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025B4B93 FindFirstFileExW, 3_2_025B4B93

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2051909 ET TROJAN Win32/FireStealer Related Server Response 144.208.127.230:80 -> 192.168.11.20:49789
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SHOCK-1US SHOCK-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.ipify.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 451Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 996Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1008Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1007Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 992Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1004Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1005Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1000Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 999Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 998Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 992Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 995Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 999Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1010Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1010Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 994Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1006Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1005Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1008Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1001Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 996Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 998Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 185Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 993Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1001Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1000Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1000Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 995Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 997Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1003Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1013Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1014Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 998Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1010Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1009Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1012Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1006Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1006Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1005Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1001Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 100842Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 29428Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 57241Host: 144.208.127.230
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1270200Host: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknown TCP traffic detected without corresponding DNS query: 144.208.127.230
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.ipify.org
Source: app.exe, 00000003.00000003.3182148991.00000000055CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: app.exe, 00000003.00000003.3182148991.00000000055CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 451Host: 144.208.127.230
Source: app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230
Source: app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.0000000000950000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000091F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3141697165.000000000559A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246373817.000000000094A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242018626.0000000005596000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3185017394.0000000005596000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3099980672.0000000000950000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3262410113.0000000005596000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3137031558.000000000558E000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3125985144.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3099980672.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246373817.0000000000950000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.000000000094A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246373817.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005591000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3101657336.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/7
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3103448637.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/B
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/J
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/U
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/Y
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/e&
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/v
Source: app.exe, 00000003.00000003.3246373817.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/z
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230/~
Source: app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/
Source: app.exe, 00000003.00000003.3105612570.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107523130.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3101845651.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3111746106.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3103619876.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3109755043.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/-35b871f0a661
Source: app.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/-35b871f0a661ozi
Source: app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132482295.000000000558B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/L
Source: app.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/R
Source: app.exe, 00000003.00000003.3105612570.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107523130.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3111746106.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3109755043.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/T
Source: app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132482295.000000000558B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/o
Source: app.exe, 00000003.00000003.3139260264.0000000005588000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123698644.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3134624186.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3125985144.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3139068962.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3136784723.0000000005586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230:80/w
Source: app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://144.208.127.230U
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: app.exe, 00000003.00000002.3295913444.0000000002530000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://POSTHTTP/1.1Content-Type:
Source: app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.office.com/office/url/setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.office.com/office/url/setupMicrosoft
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://alldrivers4devices.net
Source: app.exe, 00000003.00000003.3246373817.000000000090A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3093090885.0000000000913000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3092789933.000000000091F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3294569055.000000000090A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3093090885.0000000000904000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.trustarc.com
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: Web Data.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: app.exe, 00000003.00000002.3297646985.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3292208873.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://encrypted-tbn0.gstatic.com/licensed-image?q=tbn:ANd9GcRJX35jqtu8qT267s2bDnzhp-lJVMQdhF5S6U4t
Source: app.exe, 00000003.00000002.3297646985.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3292208873.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://encrypted-tbn0.gstatic.com/licensed-image?q=tbn:ANd9GcRgJaQoM7DXWRt-dg7YoOenavsVCx2_mgiT8oFn
Source: app.exe, 00000003.00000002.3297646985.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3292208873.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://encrypted-tbn0.gstatic.com/licensed-image?q=tbn:ANd9GcSFe5-1ue4YewDL7QTtYG5GBPfUy7h9iJ7t-0kd
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: app.exe, 00000003.00000003.3242282826.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242197510.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246273895.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOvNh-L3TTVll_wDyQd66TEaShUCp3i0iabc8se=w92-h92-n-k-no
Source: app.exe, 00000003.00000003.3242282826.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242197510.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246273895.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipPFr704HJkdqZ5xefxGs53Btx8SeAbaCnWxa6-y=w92-h92-n-k-no
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: app.exe, 00000003.00000003.3183161453.00000000058D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/0
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: app.exe, 00000003.00000003.3182859527.00000000055F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://office.com/setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://office.com/setupMicrosoft
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recoveringlib.blogspot.com
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com;9
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/?ms.officeurl=setupMicrosoft
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: app.exe, 00000003.00000003.3177221257.00000000055AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: app.exe, 00000003.00000003.3177221257.00000000055AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashaert
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.dr String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.dr String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://windows-drivers-x04.blogspot.com
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/7
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/AutoIt
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=at
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=autoit
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=eicar
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/setupMicrosoft
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.20:49788 version: TLS 1.2
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00424B38 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_00424B38

System Summary
barindex
PE file contains section with special chars
Source: app.exe Static PE information: section name: )m&
Source: app.exe.0.dr Static PE information: section name: )m&
PE file has a writeable .text section
Source: app.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: app.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025C02D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle, 0_2_025C02D0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025C77D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_025C77D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025902D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle, 3_2_025902D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025977D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 3_2_025977D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02579E36 AcquireSRWLockExclusive,AcquireSRWLockExclusive,NtDeviceIoControlFile,RtlNtStatusToDosError,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive, 3_2_02579E36
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0040A44A: GetCurrentProcess,SetPriorityClass,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass, 0_2_0040A44A
Detected potential crypto function
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_004092DE 0_2_004092DE
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00404358 0_2_00404358
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0040941D 0_2_0040941D
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0040964F 0_2_0040964F
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0040A770 0_2_0040A770
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00407703 0_2_00407703
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_004077F6 0_2_004077F6
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00409A38 0_2_00409A38
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00412AC0 0_2_00412AC0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00425B56 0_2_00425B56
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00407DBE 0_2_00407DBE
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00404E54 0_2_00404E54
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00418E0E 0_2_00418E0E
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0257A020 0_2_0257A020
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D91D2 0_2_025D91D2
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025801BB 0_2_025801BB
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025BE5F7 0_2_025BE5F7
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0259AA16 0_2_0259AA16
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02583ABA 0_2_02583ABA
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D1862 0_2_025D1862
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02591E40 0_2_02591E40
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0259BD08 0_2_0259BD08
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D3239 0_2_025D3239
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A3224 0_2_025A3224
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A0225 0_2_025A0225
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025B72D7 0_2_025B72D7
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025C42F5 0_2_025C42F5
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A628E 0_2_025A628E
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025CF340 0_2_025CF340
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D430E 0_2_025D430E
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02566320 0_2_02566320
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D632B 0_2_025D632B
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A53DD 0_2_025A53DD
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025ED3D0 0_2_025ED3D0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025DD3C0 0_2_025DD3C0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0258C38E 0_2_0258C38E
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025E3389 0_2_025E3389
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025F13BD 0_2_025F13BD
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A3001 0_2_025A3001
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025BE030 0_2_025BE030
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D20E3 0_2_025D20E3
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0257B090 0_2_0257B090
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025EE16F 0_2_025EE16F
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025AB13B 0_2_025AB13B
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02563130 0_2_02563130
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256B1F0 0_2_0256B1F0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025B1180 0_2_025B1180
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256A1B0 0_2_0256A1B0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025811A0 0_2_025811A0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02562670 0_2_02562670
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025EE605 0_2_025EE605
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0257B695 0_2_0257B695
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025C0690 0_2_025C0690
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025AC6AE 0_2_025AC6AE
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02577754 0_2_02577754
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0257771C 0_2_0257771C
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0257670C 0_2_0257670C
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02563790 0_2_02563790
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02582449 0_2_02582449
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A6468 0_2_025A6468
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02563400 0_2_02563400
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025B74D0 0_2_025B74D0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025B34D6 0_2_025B34D6
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256B4C0 0_2_0256B4C0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025EF4C2 0_2_025EF4C2
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256E490 0_2_0256E490
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A4544 0_2_025A4544
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D352A 0_2_025D352A
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025985C9 0_2_025985C9
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D85F4 0_2_025D85F4
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02598A44 0_2_02598A44
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A4A88 0_2_025A4A88
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0258BAB0 0_2_0258BAB0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02586B58 0_2_02586B58
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025A2B5E 0_2_025A2B5E
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02561B50 0_2_02561B50
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256BB50 0_2_0256BB50
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D1B40 0_2_025D1B40
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0258DB7B 0_2_0258DB7B
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0258EB69 0_2_0258EB69
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025B6B1B 0_2_025B6B1B
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025EBB18 0_2_025EBB18
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256AB90 0_2_0256AB90
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0259585F 0_2_0259585F
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025ED844 0_2_025ED844
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256F8EC 0_2_0256F8EC
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025D3890 0_2_025D3890
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025648A0 0_2_025648A0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025B98A5 0_2_025B98A5
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02569950 0_2_02569950
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_02573962 0_2_02573962
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0257799F 0_2_0257799F
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025C1E40 0_2_025C1E40
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025F0E40 0_2_025F0E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_3_0552C3BF 3_3_0552C3BF
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02570225 3_2_02570225
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0255C38E 3_2_0255C38E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A91D2 3_2_025A91D2
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025501BB 3_2_025501BB
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025511A0 3_2_025511A0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0258E5F7 3_2_0258E5F7
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0256AA16 3_2_0256AA16
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02574A88 3_2_02574A88
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02553ABA 3_2_02553ABA
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02556B58 3_2_02556B58
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0255DB7B 3_2_0255DB7B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0255EB69 3_2_0255EB69
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0256585F 3_2_0256585F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A1862 3_2_025A1862
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025898A5 3_2_025898A5
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02561E40 3_2_02561E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0255AE37 3_2_0255AE37
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02557C6F 3_2_02557C6F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02553C05 3_2_02553C05
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02584D4A 3_2_02584D4A
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0256BD08 3_2_0256BD08
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A3239 3_2_025A3239
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02573224 3_2_02573224
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025872D7 3_2_025872D7
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025942F5 3_2_025942F5
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0257628E 3_2_0257628E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0259F340 3_2_0259F340
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A430E 3_2_025A430E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A632B 3_2_025A632B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02536320 3_2_02536320
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025753DD 3_2_025753DD
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BD3D0 3_2_025BD3D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025AD3C0 3_2_025AD3C0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025B3389 3_2_025B3389
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025C13BD 3_2_025C13BD
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02573001 3_2_02573001
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0258E030 3_2_0258E030
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0254A020 3_2_0254A020
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A20E3 3_2_025A20E3
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0254B090 3_2_0254B090
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BE16F 3_2_025BE16F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02533130 3_2_02533130
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0257B13B 3_2_0257B13B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253B1F0 3_2_0253B1F0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02581180 3_2_02581180
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253A1B0 3_2_0253A1B0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02532670 3_2_02532670
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BE605 3_2_025BE605
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0254B695 3_2_0254B695
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02590690 3_2_02590690
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0257C6AE 3_2_0257C6AE
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02547754 3_2_02547754
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0254771C 3_2_0254771C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0254670C 3_2_0254670C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02533790 3_2_02533790
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02552449 3_2_02552449
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02576468 3_2_02576468
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02533400 3_2_02533400
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025874D0 3_2_025874D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025834D6 3_2_025834D6
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253B4C0 3_2_0253B4C0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BF4C2 3_2_025BF4C2
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253E490 3_2_0253E490
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02574544 3_2_02574544
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A352A 3_2_025A352A
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025685C9 3_2_025685C9
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A85F4 3_2_025A85F4
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02568A44 3_2_02568A44
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0255BAB0 3_2_0255BAB0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02531B50 3_2_02531B50
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253BB50 3_2_0253BB50
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02572B5E 3_2_02572B5E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A1B40 3_2_025A1B40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BBB18 3_2_025BBB18
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02586B1B 3_2_02586B1B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253AB90 3_2_0253AB90
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BD844 3_2_025BD844
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253F8EC 3_2_0253F8EC
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A3890 3_2_025A3890
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025348A0 3_2_025348A0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02539950 3_2_02539950
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02543962 3_2_02543962
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0254799F 3_2_0254799F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02591E40 3_2_02591E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025C0E40 3_2_025C0E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02587E74 3_2_02587E74
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02579E36 3_2_02579E36
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02536EC0 3_2_02536EC0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02586ECC 3_2_02586ECC
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02557EF1 3_2_02557EF1
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0257DEE0 3_2_0257DEE0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02586F5B 3_2_02586F5B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0257CF7C 3_2_0257CF7C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02542F21 3_2_02542F21
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02542C6E 3_2_02542C6E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02580C00 3_2_02580C00
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02567C09 3_2_02567C09
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025A5CD3 3_2_025A5CD3
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02586CC5 3_2_02586CC5
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BDCE6 3_2_025BDCE6
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02532C90 3_2_02532C90
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02557CA3 3_2_02557CA3
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BFCA7 3_2_025BFCA7
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02572D42 3_2_02572D42
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02577D14 3_2_02577D14
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02578D25 3_2_02578D25
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02594DD0 3_2_02594DD0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_02586DD2 3_2_02586DD2
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe E9BC44CF548A70E7285499209973FAF44B7374DECE1413DFCDC03BF25A6C599C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: String function: 025BCAF0 appears 156 times
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: String function: 02533D50 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: String function: 025ADE90 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: String function: 025BC9A0 appears 60 times
Source: C:\Users\user\Desktop\app.exe Code function: String function: 00416398 appears 132 times
Source: C:\Users\user\Desktop\app.exe Code function: String function: 025ECAF0 appears 112 times
Source: C:\Users\user\Desktop\app.exe Code function: String function: 00416EF8 appears 50 times
Source: C:\Users\user\Desktop\app.exe Code function: String function: 025EC9A0 appears 45 times
Source: C:\Users\user\Desktop\app.exe Code function: String function: 02563D50 appears 73 times
Sample file is different than original file name gathered from version info
Source: app.exe, 00000000.00000002.2682613339.000000000044D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs app.exe
Source: app.exe, 00000003.00000000.2681579898.000000000044D000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilename vs app.exe
Source: app.exe Binary or memory string: OriginalFilename vs app.exe
Source: app.exe.0.dr Binary or memory string: OriginalFilename vs app.exe
Uses 32bit PE files
Source: app.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: app.exe.0.dr Binary string: Could not open \device\physicalmemory
Source: app.exe.0.dr Binary string: Could not map view of %X length %XCould not open \device\physicalmemory\device\physicalmemoryRtlNtStatusToDosErrorNtMapViewOfSectionNtOpenSectionNtUnmapViewOfSectionntdll.dllRtlInitUnicodeString%c
Source: classification engine Classification label: mal100.spyw.evad.winEXE@10/6@1/2
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025C2A50 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree, 0_2_025C2A50
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0040A130 GetVersionExA,CoCreateInstance,CoSetProxyBlanket,VariantInit,lstrlenW,lstrcpynA,WideCharToMultiByte, 0_2_0040A130
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00423119 EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_00423119
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Mutant created: \Sessions\1\BaseNamedObjects\hrzbaov
Source: C:\Users\user\Desktop\app.exe File created: C:\Users\user\AppData\Local\Temp\7041956494665639546 Jump to behavior
Source: app.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\app.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\app.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: app.exe, 00000003.00000003.3188734917.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.dr Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
Source: app.exe Virustotal: Detection: 11%
Source: C:\Users\user\Desktop\app.exe File read: C:\Users\user\Desktop\app.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\app.exe "C:\Users\user\Desktop\app.exe"
Source: C:\Users\user\Desktop\app.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\app.exe Process created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe"
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\app.exe Process created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\app.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: app.exe Static file information: File size 1290240 > 1048576
Source: Binary string: SRLPR.pdBf source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: grabg::C:\\Users\\user\\Desktop\\GQSZOBXUFX\\RMDIWSRLPR.pdBfGbodyFUk1ESVdTU source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GQSZOBXUFX\\RMDIWSRLPR.pdBfIbodyHUk1ESVdTU source: app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\app.exe Unpacked PE file: 0.2.app.exe.2560000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Unpacked PE file: 3.2.app.exe.2530000.2.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress, 0_2_0042C59F
PE file contains sections with non-standard names
Source: app.exe Static PE information: section name: )m&
Source: app.exe.0.dr Static PE information: section name: )m&
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00416398 push eax; ret 0_2_004163B6
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00415460 push eax; ret 0_2_00415474
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00415460 push eax; ret 0_2_0041549C
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0047EC7F push FFFFFFA1h; retf 0_2_0047EC82
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00416F33 push ecx; ret 0_2_00416F43
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025F23AD push es; iretd 0_2_025F2454
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025EC6A1 push ecx; ret 0_2_025EC6B4
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025F3881 push eax; ret 0_2_025F3882
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025F691F push eax; ret 0_2_025F6997
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_3_0552C6D7 push cs; iretd 3_3_0552C6D8
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_3_055288A8 pushad ; iretd 3_3_055288A9
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_3_05E6B3EB push ss; retf 3_3_05E6B497
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_3_05E6B3EB push ss; retf 3_3_05E6B497
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025C23AD push es; iretd 3_2_025C2454
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025BC6A1 push ecx; ret 3_2_025BC6B4
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025C3881 push eax; ret 3_2_025C3882
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025C691F push eax; ret 3_2_025C6997

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\app.exe Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 0_2_0040A770
Source: C:\Users\user\Desktop\app.exe Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 0_2_0040A770
Source: C:\Users\user\Desktop\app.exe Code function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_00409F46
Drops PE files
Source: C:\Users\user\Desktop\app.exe File created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Jump to dropped file

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\app.exe Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 0_2_0040A770
Source: C:\Users\user\Desktop\app.exe Code function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 0_2_0040A770
Source: C:\Users\user\Desktop\app.exe Code function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_00409F46

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process created: cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process created: cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00401660 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_00401660
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0040CFF1 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0040CFF1
Source: C:\Users\user\Desktop\app.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\app.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00408FF2 rdtsc 0_2_00408FF2
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\app.exe Code function: LoadLibraryA,FreeLibrary,GetAdaptersInfo,GetAdaptersInfo, 0_2_00402D69
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\app.exe API coverage: 2.6 %
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe API coverage: 8.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\app.exe TID: 1440 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe TID: 6904 Thread sleep count: 68 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe TID: 1588 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 1928 Thread sleep count: 39 > 30 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00427361 GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00427361
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025CA710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree, 0_2_025CA710
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025E4B93 FindFirstFileExW, 0_2_025E4B93
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0259A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree, 3_2_0259A710
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0259FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree, 3_2_0259FEC0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025B4B93 FindFirstFileExW, 3_2_025B4B93
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0041E91D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0041E91D
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3092789933.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3098259663.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3099980672.0000000000956000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00408FF2 rdtsc 0_2_00408FF2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025E44E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_025E44E2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress, 0_2_0042C59F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025CD430 GetProcessHeap,RtlAllocateHeap, 0_2_025CD430
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0041B198 SetUnhandledExceptionFilter, 0_2_0041B198
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0041B1AC SetUnhandledExceptionFilter, 0_2_0041B1AC
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0256EAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree, 0_2_0256EAC0
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025DE0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_025DE0C8
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_025E44E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_025E44E2
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_0253EAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree, 3_2_0253EAC0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025AE0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_025AE0C8
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025B44E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_025B44E2
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025ADC6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_025ADC6E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Code function: 3_2_025ADDCA SetUnhandledExceptionFilter, 3_2_025ADDCA
Source: C:\Users\user\Desktop\app.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\app.exe Process created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00409127 cpuid 0_2_00409127
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\app.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00401000
Source: C:\Users\user\Desktop\app.exe Code function: GetLocaleInfoA, 0_2_0041E705
Source: C:\Users\user\Desktop\app.exe Code function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA, 0_2_00429E88
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\3D Objects VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Comms VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\D3DSCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ElevatedDiagnostics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Google VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Intel VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\MicrosoftEdge VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Mozilla VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\PeerDistRepub VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Publishers VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\VirtualStore VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\LocalLow VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\LocalLow\Adobe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\LocalLow\Intel VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\LocalLow\Microsoft VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\LocalLow\Mozilla VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Sun VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Flash Player VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Headlights VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe\Linguistics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe\LogTransport2 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\AddIns VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Credentials VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Excel VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\MMC VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Network VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Protect VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Vault VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\SystemExtensionsDev VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\Sun\Java VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Contacts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Contacts\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Contacts\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\container.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\container.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\container.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\container.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE\container.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE\container.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low\ESE VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\AFWAAFRXKO VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\app.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\app.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\IVHSHTCODI VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\JDSOXXXWOA VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\PSAMNLJHZW VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\Word.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\Word.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Desktop\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\AFWAAFRXKO VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\IVHSHTCODI VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\JDSOXXXWOA VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Music VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Music\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Music\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Pictures\Camera Roll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Pictures\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Pictures\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Videos VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Videos\Captures VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Videos\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Videos\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\PSAMNLJHZW VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\autoit-v3-setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\autoit-v3-setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\FACWLRWHGG.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\IVHSHTCODI.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\JPEAFKFPZY.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\OfficeSetup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\OfficeSetup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\UQMPCTZARJ.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\UQMPCTZARJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\XQACHMZIHU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\YCGNAHEPCK.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Google.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Links VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Links\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Links\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Live.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\Brighten Video.man.igpi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\Brighten Video.man.igpi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\BRIGHT~1.IGP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\BRIGHT~1.IGP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\Darken Video.man.igpi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\Darken Video.man.igpi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\DARKEN~1.IGP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\DARKEN~1.IGP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\Enhance Video Colors.man.igpi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\Enhance Video Colors.man.igpi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\ENHANC~1.IGP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\IntelGraphicsProfiles\ENHANC~1.IGP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Links VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Links\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Links\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Links\Desktop.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Links\Desktop.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\Links\Downloads.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Adobe\Color VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Comms VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\D3DSCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ElevatedDiagnostics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\MicrosoftEdge VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\PeerDistRepub VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Publishers VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\_curlrc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Comms VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Comms\Unistore VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469.cdp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469.cdp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdpresource VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdpresource VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\D3DSCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\D3DSCache\3534848bb9f4cb71 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\D3DSCache\cb00da9ba77862e VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\ElevatedDiagnostics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Google VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Google\CrashReports VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Google\Software Reporter Tool VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History\Low VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Intel\CUIPromotions VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Intel\Games VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\EdgeBho VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Feeds VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\GameDVR VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\InputPersonalization VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Internet Explorer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\OneDrive VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\PlayReady VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\XboxLive VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\MicrosoftEdge VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\MicrosoftEdge\SharedCacheContainers VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\ActiveSync VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\AppUp.IntelGraphicsExperience_8j3eq9eme6ctt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.BingWeather_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Framework.1.7_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Runtime.1.7_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Runtime.2.2_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Print3D_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Services.Store.Engagement_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.1_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.6_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.7_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAppRuntime.1.2_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\SpotifyAB.SpotifyMusic_zpdnekdrzrea0 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\PeerDistRepub VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Publishers VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0353475199 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0487075091 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0615447233 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0615447233 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0666563528 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0666563528 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0825612946 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0887538035 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0939541263 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0939541263 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1169381505 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1244065654 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1287572840 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1287572840 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1343496627 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1343496627 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1387277564 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1387277564 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1417002460 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2165547404 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2165547404 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2265332024 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2265465471 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2874006916 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\3677062445 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\acrord32_sbx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\B018D45B-96A4-4B60-BED4-BC78D47B50F2 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Importer_6_Default_4 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Low VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MpCmdRun.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MpCmdRun.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Symbols VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\TCDE6D1.tmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Queries volume information: C:\Users\user\AppData\Local\Temp\TCDE6EA.tmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0041C882 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0041C882
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_0041DD1B GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0041DD1B
Source: C:\Users\user\Desktop\app.exe Code function: 0_2_00415DDE EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_00415DDE
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Electrum\wallets\tjYCo5b
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Electrum\wallets\tjYCo5b
Source: app.exe, 00000003.00000003.3098259663.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :"AtomicWallet","path":"%APPDATA%\\atomic\\Local Storage\\leveldb\\"},{"name":"Exodus","path":"%APPDATA%\\exodus\\exodus.wallet\\"},{"name":"JaxxWallet","path":"%APPDATA%\\Wallets\\Jaxx\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\"},{"
Source: app.exe, 00000003.00000003.3098259663.0000000000956000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :"AtomicWallet","path":"%APPDATA%\\atomic\\Local Storage\\leveldb\\"},{"name":"Exodus","path":"%APPDATA%\\exodus\\exodus.wallet\\"},{"name":"JaxxWallet","path":"%APPDATA%\\Wallets\\Jaxx\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\"},{"
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\XdPr
Source: app.exe, 00000003.00000003.3292397056.000000000556B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\XdPr
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Coinomi\Coinomi\wallets\
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\exodus\exodus.wallet\Y
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %APPDATA%\Ethereum\keystore\XdPr
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\Local Settings\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\Local Settings\Mozilla\Firefox\Profiles\kzpbmws1.default\key4.db Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436386 Sample: app.exe Startdate: 05/05/2024 Architecture: WINDOWS Score: 100 29 api.ipify.org 2->29 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 2 other signatures 2->41 9 app.exe 5 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\Temp\...\app.exe, PE32 9->27 dropped 43 Detected unpacking (creates a PE file in dynamic memory) 9->43 45 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 9->45 47 Contains functionality to infect the boot sector 9->47 49 Queries memory information (via WMI often done to detect virtual machines) 9->49 13 app.exe 10 9 9->13         started        17 conhost.exe 9->17         started        signatures6 process7 dnsIp8 31 144.208.127.230, 49789, 80 SHOCK-1US United States 13->31 33 api.ipify.org 172.67.74.152, 443, 49788 CLOUDFLARENETUS United States 13->33 51 Multi AV Scanner detection for dropped file 13->51 53 Detected unpacking (creates a PE file in dynamic memory) 13->53 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->55 57 7 other signatures 13->57 19 cmd.exe 1 13->19         started        21 conhost.exe 13->21         started        signatures9 process10 process11 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
144.208.127.230
 unknown United States
395092 SHOCK-1US true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://144.208.127.230/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://api.ipify.org/ false
    		high