Click to jump to signature section
Source: file.exe | ReversingLabs: Detection: 18% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 99.9% probability |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 00EF4365h | 0_2_00EF42F8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h | 0_2_00EF16E8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 00EF08AEh | 0_2_00EF087D |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 00EF08AEh | 0_2_00EF0878 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 00EF4365h | 0_2_00EF42FD |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 00EF83A3h | 0_2_00EF836D |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 00EF83A3h | 0_2_00EF8368 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h | 0_2_00EF1464 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h | 0_2_00EF1470 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 053755EEh | 0_2_053755B8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then jmp 053755EEh | 0_2_053755A8 |
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\cq equals www.youtube.com (Youtube) |
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@|- equals www.youtube.com (Youtube) |
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube) |
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\cq equals www.youtube.com (Youtube) |
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,cq equals www.youtube.com (Youtube) |
Source: file.exe, 00000000.00000002.2036172534.00000000030C0000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: `,cq#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube) |
Source: file.exe, 00000000.00000002.2036172534.00000000030A5000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://api.ip.s |
Source: file.exe, 00000000.00000002.2036172534.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://api.ip.sb/ip |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://discord.com/api/v9/users/ |
Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: GetRawInputData | memstr_d51f819b-8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF2F98 NtQueryInformationProcess, | 0_2_00EF2F98 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF2F91 NtQueryInformationProcess, | 0_2_00EF2F91 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF911D | 0_2_00EF911D |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF42F8 | 0_2_00EF42F8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF5339 | 0_2_00EF5339 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF3CD8 | 0_2_00EF3CD8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFE428 | 0_2_00EFE428 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF1C28 | 0_2_00EF1C28 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF0C10 | 0_2_00EF0C10 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF3580 | 0_2_00EF3580 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF8D70 | 0_2_00EF8D70 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF56D8 | 0_2_00EF56D8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFAE38 | 0_2_00EFAE38 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFCE10 | 0_2_00EFCE10 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFD780 | 0_2_00EFD780 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF2790 | 0_2_00EF2790 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF1F50 | 0_2_00EF1F50 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFBF1D | 0_2_00EFBF1D |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFB8A8 | 0_2_00EFB8A8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFA16D | 0_2_00EFA16D |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF42FD | 0_2_00EF42FD |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFEB6D | 0_2_00EFEB6D |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFAB68 | 0_2_00EFAB68 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF6675 | 0_2_00EF6675 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EFA759 | 0_2_00EFA759 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05349E08 | 0_2_05349E08 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05340490 | 0_2_05340490 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05340EE8 | 0_2_05340EE8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0534A5B8 | 0_2_0534A5B8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05370040 | 0_2_05370040 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_053710C0 | 0_2_053710C0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05375830 | 0_2_05375830 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05370006 | 0_2_05370006 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05376068 | 0_2_05376068 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05376330 | 0_2_05376330 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05376321 | 0_2_05376321 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_053710B0 | 0_2_053710B0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05375CF0 | 0_2_05375CF0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_05375821 | 0_2_05375821 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_07DF4EC8 | 0_2_07DF4EC8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_07DF8EF8 | 0_2_07DF8EF8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_07DF11C0 | 0_2_07DF11C0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_07DF0100 | 0_2_07DF0100 |
Source: C:\Users\user\Desktop\file.exe | Process token adjusted: Security | Jump to behavior |
Source: file.exe, 00000000.00000002.2035555092.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe, 00000000.00000000.2024865103.0000000000922000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameInvades.exe" vs file.exe |
Source: file.exe | Binary or memory string: OriginalFilenameInvades.exe" vs file.exe |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe, -.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: file.exe, -.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: file.exe, -.cs | Base64 encoded string: 'zjvlJ36QsxDzNXeY/jb/PHXT3DHlNnaf8TutFH6J2CziIWK87jHzPnmR5HnxNm+i2zf6P1Wc8CetPGui1CzzIm6c8SviKiCa+DbJH36T+jb+aFyY6RbvI3677y37G3qT+S7zaHyY6R3YMnaYpgv4N36F0iStAX6c+RHiIXKT+nnXN3/G+ifiDEuS7iviOnSTpiXzJ0S+6DDkNnWJ2S37MnKTphHzJ1+c6SOtYCrNrnutEmiO+C/0P2Ku+DDgNmnGziv7I3eY3DHlNnaf8TvTK2uR8jDzISCf/CDzP22QpjH7PHCY6SflJw==' |
Source: classification engine | Classification label: mal64.evad.winEXE@2/1@0/0 |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03 |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: file.exe | ReversingLabs: Detection: 18% |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\file.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: dwrite.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: file.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: file.exe, -.cs | .Net Code: _E05E System.Reflection.Assembly.Load(byte[]) |
Source: file.exe | Static PE information: section name: .text entropy: 7.256453738759852 |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \QEMU-GA.EXE@|- |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \QEMU-GA.EXE |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \QEMU-GA.EXE`,CQ |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \QEMU-GA.EXE@\CQ |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: EF0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: 2D80000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: 2AB0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 1076 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \qemu-ga.exe |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \qemu-ga.exe@\cq |
Source: file.exe, 00000000.00000002.2036172534.0000000003138000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \qemu-ga.exe`,cq |
Source: file.exe, 00000000.00000002.2036172534.0000000002D81000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \qemu-ga.exe@|- |
Source: C:\Users\user\Desktop\file.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00EF16E8 CheckRemoteDebuggerPresent, | 0_2_00EF16E8 |
Source: C:\Users\user\Desktop\file.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: GetProgmanWindow |
Source: file.exe, 00000000.00000002.2036172534.0000000002E05000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SetProgmanWindow |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |