Click to jump to signature section
Source: filedata.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: filedata.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\DevRepos\ProfessionalServices\PEAC\Projects\Custom\PSImport\obj\Debug\PEACPSImport.pdb source: filedata.exe |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: filedata.exe, 00000000.00000002.3279089458.0000000000B32000.00000004.00000020.00020000.00000000.sdmp |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: filedata.exe | String found in binary or memory: http://www.archivesystems.com/ |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_0995D2A8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, | 0_2_0995D2A8 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_0102C1B8 | 0_2_0102C1B8 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_071EE0B0 | 0_2_071EE0B0 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_071E3F20 | 0_2_071E3F20 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_071E0F18 | 0_2_071E0F18 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_071E3F10 | 0_2_071E3F10 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_071E0F07 | 0_2_071E0F07 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_09959A49 | 0_2_09959A49 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_09956CA0 | 0_2_09956CA0 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_09955C18 | 0_2_09955C18 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_09959A49 | 0_2_09959A49 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_09955C18 | 0_2_09955C18 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_09981348 | 0_2_09981348 |
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamesystem.data.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279089458.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamemscorlib.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: $cq,\\StringFileInfo\\000004B0\\OriginalFilename vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.Core.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSystem.Xml.dllT vs filedata.exe |
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameUNKNOWN_FILET vs filedata.exe |
Source: filedata.exe, 00000000.00000000.2032970445.0000000000650000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe |
Source: filedata.exe | Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe |
Source: filedata.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal48.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\filedata.exe | Mutant created: NULL |
Source: filedata.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: filedata.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Users\user\Desktop\filedata.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | File read: C:\Users\user\Desktop\filedata.exe | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: dwrite.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: windowscodecs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: filedata.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: filedata.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: filedata.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\DevRepos\ProfessionalServices\PEAC\Projects\Custom\PSImport\obj\Debug\PEACPSImport.pdb source: filedata.exe |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: filedata.exe, 00000000.00000002.3279089458.0000000000B32000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_0102E732 push eax; ret | 0_2_0102E739 |
Source: C:\Users\user\Desktop\filedata.exe | Code function: 0_2_071E64C0 push eax; iretd | 0_2_071E6511 |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Memory allocated: FB0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Memory allocated: 2960000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Memory allocated: 4960000 memory reserve | memory write watch | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\filedata.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Users\user\Desktop\filedata.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\filedata.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |