Click to jump to signature section
Source: NLRpif3sEB.exe | ReversingLabs: Detection: 60% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 99.9% probability |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00404911 CryptUnprotectData,LocalFree, | 0_2_00404911 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00410D22 CryptUnprotectData,LocalFree, | 0_2_00410D22 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00410ED8 CoCreateInstance,CoTaskMemFree,CoTaskMemFree,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, | 0_2_00410ED8 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00411FC7 CryptUnprotectData,LocalFree, | 0_2_00411FC7 |
Source: NLRpif3sEB.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: NLRpif3sEB.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00404CE1 FindFirstFileW,FindNextFileW,FindClose, | 0_2_00404CE1 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004108E4 FindFirstFileW,FindNextFileW,FindClose, | 0_2_004108E4 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004118BB FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose, | 0_2_004118BB |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: unknown | TCP traffic detected without corresponding DNS query: 213.226.100.197 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004129A8 InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, | 0_2_004129A8 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveHost: 213.226.100.197 |
Source: NLRpif3sEB.exe, NLRpif3sEB.exe, 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2635265190.0000000002C51000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://213.226.100.197; |
Source: NLRpif3sEB.exe, 00000000.00000002.2634586223.0000000000400000.00000040.00001000.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2635265190.0000000002C51000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://213.226.100.197;%s |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004058F2 OpenProcessToken,GetTokenInformation,NtCreateToken,CloseHandle, | 0_2_004058F2 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00405750 GetTokenInformation,GetTokenInformation,DuplicateTokenEx,AdjustTokenPrivileges,NtSetInformationThread,CloseHandle, | 0_2_00405750 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040A856 | 0_2_0040A856 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00408406 | 0_2_00408406 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040881D | 0_2_0040881D |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040A4D4 | 0_2_0040A4D4 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00407CEF | 0_2_00407CEF |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004040BB | 0_2_004040BB |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040795E | 0_2_0040795E |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00403DFA | 0_2_00403DFA |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040D611 | 0_2_0040D611 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040821E | 0_2_0040821E |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00410ED8 | 0_2_00410ED8 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040A2A0 | 0_2_0040A2A0 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00407AA0 | 0_2_00407AA0 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00415B50 | 0_2_00415B50 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_0040A759 | 0_2_0040A759 |
Source: NLRpif3sEB.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal80.troj.spyw.evad.winEXE@6/0@0/2 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00405750 GetTokenInformation,GetTokenInformation,DuplicateTokenEx,AdjustTokenPrivileges,NtSetInformationThread,CloseHandle, | 0_2_00405750 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00405836 RtlAdjustPrivilege,CreateToolhelp32Snapshot,Process32NextW,OpenProcess,OpenProcessToken,CloseHandle,CloseHandle,Process32NextW,CloseHandle, | 0_2_00405836 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00407656 CoCreateInstance,SysAllocString,SysAllocString,VariantClear, | 0_2_00407656 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Mutant created: \Sessions\1\BaseNamedObjects\58E95B720E951117388365 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Command line argument: 0r | 0_2_00E47180 |
Source: NLRpif3sEB.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: NLRpif3sEB.exe | ReversingLabs: Detection: 60% |
Source: unknown | Process created: C:\Users\user\Desktop\NLRpif3sEB.exe "C:\Users\user\Desktop\NLRpif3sEB.exe" | |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 | |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: netapi32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: samcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 | Jump to behavior |
Source: NLRpif3sEB.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: NLRpif3sEB.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: NLRpif3sEB.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: NLRpif3sEB.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: NLRpif3sEB.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: NLRpif3sEB.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E44B40 LoadLibraryA,GetProcAddress, | 0_2_00E44B40 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00417AB0 push eax; ret | 0_2_00417AC4 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00417AB0 push eax; ret | 0_2_00417AEC |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E467D5 push ecx; ret | 0_2_00E467E8 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Process created: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" | |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Process created: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess | graph_0-15319 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) | graph_0-15730 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep | graph_0-14346 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes | graph_0-16121 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe TID: 6472 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\PING.EXE | Last function: Thread delayed |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004145B8 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jne 00414B0Dh | 0_2_004145B8 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00404CE1 FindFirstFileW,FindNextFileW,FindClose, | 0_2_00404CE1 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004108E4 FindFirstFileW,FindNextFileW,FindClose, | 0_2_004108E4 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004118BB FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose, | 0_2_004118BB |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004145B8 GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetComputerNameW,GetUserNameW,GetLocalTime,EnumDisplayDevicesW,GetKeyboardLayoutList,GetKeyboardLayoutList, | 0_2_004145B8 |
Source: NLRpif3sEB.exe, 00000000.00000002.2634885653.000000000115F000.00000004.00000020.00020000.00000000.sdmp, NLRpif3sEB.exe, 00000000.00000002.2634885653.000000000110E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | API call chain: ExitProcess graph end node | graph_0-15239 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E450C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00E450C4 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E44B40 LoadLibraryA,GetProcAddress, | 0_2_00E44B40 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00405108 mov eax, dword ptr fs:[00000030h] | 0_2_00405108 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004075F1 mov eax, dword ptr fs:[00000030h] | 0_2_004075F1 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00407605 mov eax, dword ptr fs:[00000030h] | 0_2_00407605 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00407621 mov eax, dword ptr fs:[00000030h] | 0_2_00407621 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E44CC0 mov eax, dword ptr fs:[00000030h] | 0_2_00E44CC0 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E44960 mov eax, dword ptr fs:[00000030h] | 0_2_00E44960 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E44F20 mov ecx, dword ptr fs:[00000030h] | 0_2_00E44F20 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E450C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00E450C4 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E46A31 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00E46A31 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00E45B09 SetUnhandledExceptionFilter, | 0_2_00E45B09 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\user\Desktop\NLRpif3sEB.exe" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: GetLocaleInfoA, | 0_2_00416E6D |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00413CAF CreateMutexA,ExitProcess,GetModuleFileNameW,ExitProcess,GetSystemTime,GetSystemTime,CloseHandle,ExitProcess, | 0_2_00413CAF |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_004145B8 GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetComputerNameW,GetUserNameW,GetLocalTime,EnumDisplayDevicesW,GetKeyboardLayoutList,GetKeyboardLayoutList, | 0_2_004145B8 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00406418 GetTimeZoneInformation, | 0_2_00406418 |
Source: C:\Users\user\Desktop\NLRpif3sEB.exe | Code function: 0_2_00416E8E RtlGetVersion, | 0_2_00416E8E |
Source: NLRpif3sEB.exe | String found in binary or memory: Electrum |
Source: NLRpif3sEB.exe | String found in binary or memory: com.liberty.jaxx\IndexedDB |
Source: NLRpif3sEB.exe | String found in binary or memory: Exodus |
Source: NLRpif3sEB.exe | String found in binary or memory: Ethereum |
Source: NLRpif3sEB.exe | String found in binary or memory: keystore |