Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
PiratedLauncher.exe

Overview

General Information

Sample name:PiratedLauncher.exe
Analysis ID:1655143
MD5:9cf70e7720867826dbcfb024bb1beb90
SHA1:dc2936155faa218a03ef98bcdcaa15b1cf7e45da
SHA256:af21c3e996213f7b1b9b58363723990f423cfa846d824625ddf4977dd550e579
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • PiratedLauncher.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\PiratedLauncher.exe" MD5: 9CF70E7720867826DBCFB024BB1BEB90)
  • PiratedLauncher.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\PiratedLauncher.exe" MD5: 9CF70E7720867826DBCFB024BB1BEB90)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PiratedLauncher.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.1195281641.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000000.1056274522.0000000000202000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: PiratedLauncher.exe PID: 6964JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Process Memory Space: PiratedLauncher.exe PID: 6184JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: PiratedLauncher.exeVirustotal: Detection: 46%Perma Link
              Source: PiratedLauncher.exeReversingLabs: Detection: 41%
              Source: Submited SampleNeural Call Log Analysis: 90.6%
              Source: PiratedLauncher.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: PiratedLauncher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: costura.costura.pdb.compressed source: PiratedLauncher.exe
              Source: Binary string: C:\Users\danie\Desktop\Documentos\PiratedLauncher\PiratedLauncher\obj\Debug\PiratedLauncher.pdb source: PiratedLauncher.exe
              Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: PiratedLauncher.exe
              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|806F4C19B2D7FD9E3B836269EC07647019A29E95|7960 source: PiratedLauncher.exe
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
              Source: PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
              Source: PiratedLauncher.exeString found in binary or memory: https://piratedheat.top/api/checkKey.php?api_key=
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://piratedheat.top/api/json
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://piratedheat.top/api/launcherVersion
              Source: PiratedLauncher.exeString found in binary or memory: https://piratedheat.top/api/launcherVersionAhttps://piratedheat.top/api/json
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
              Source: PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PiratedLauncher.exe
              Source: PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PiratedLauncher.exe
              Source: PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PiratedLauncher.exe
              Source: PiratedLauncher.exe, 00000000.00000002.1103685563.0000000000963000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PiratedLauncher.exe
              Source: PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PiratedLauncher.exe
              Source: PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs PiratedLauncher.exe
              Source: PiratedLauncher.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: PiratedLauncher.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal60.evad.winEXE@2/0@0/0
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMutant created: NULL
              Source: PiratedLauncher.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: PiratedLauncher.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\PiratedLauncher.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PiratedLauncher.exeVirustotal: Detection: 46%
              Source: PiratedLauncher.exeReversingLabs: Detection: 41%
              Source: PiratedLauncher.exeString found in binary or memory: Exiting.Whttps://piratedheat.top/api/launcherVersionAhttps://piratedheat.top/api/json
              Source: unknownProcess created: C:\Users\user\Desktop\PiratedLauncher.exe "C:\Users\user\Desktop\PiratedLauncher.exe"
              Source: unknownProcess created: C:\Users\user\Desktop\PiratedLauncher.exe "C:\Users\user\Desktop\PiratedLauncher.exe"
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\PiratedLauncher.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: PiratedLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PiratedLauncher.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: PiratedLauncher.exeStatic file information: File size 1699840 > 1048576
              Source: PiratedLauncher.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x176000
              Source: PiratedLauncher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: PiratedLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: PiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: costura.costura.pdb.compressed source: PiratedLauncher.exe
              Source: Binary string: C:\Users\danie\Desktop\Documentos\PiratedLauncher\PiratedLauncher\obj\Debug\PiratedLauncher.pdb source: PiratedLauncher.exe
              Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: PiratedLauncher.exe
              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|806F4C19B2D7FD9E3B836269EC07647019A29E95|7960 source: PiratedLauncher.exe

              Data Obfuscation

              barindex
              Source: PiratedLauncher.exe, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
              Source: Yara matchFile source: PiratedLauncher.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.1195281641.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1056274522.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PiratedLauncher.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PiratedLauncher.exe PID: 6184, type: MEMORYSTR
              Source: PiratedLauncher.exeStatic PE information: 0xF4F1661D [Tue Mar 23 04:57:01 2100 UTC]
              Source: PiratedLauncher.exeStatic PE information: section name: .text entropy: 7.791525435429848
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exe TID: 6988Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exe TID: 6224Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\PiratedLauncher.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\PiratedLauncher.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Users\user\Desktop\PiratedLauncher.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userbrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userbriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Users\user\Desktop\PiratedLauncher.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PiratedLauncher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping31
              Virtualization/Sandbox Evasion              		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory12
              System Information Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
              Software Packing              		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Process Injection              		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Obfuscated Files or Information              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1655143 Sample: PiratedLauncher.exe Startdate: 03/04/2025 Architecture: WINDOWS Score: 60 9 Multi AV Scanner detection for submitted file 2->9 11 .NET source code contains potential unpacker 2->11 13 Joe Sandbox ML detected suspicious sample 2->13 15 Yara detected Costura Assembly Loader 2->15 5 PiratedLauncher.exe 2 2->5         started        7 PiratedLauncher.exe 2 2->7         started        process3

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PiratedLauncher.exe47%VirustotalBrowse
              PiratedLauncher.exe42%ReversingLabsWin32.Infostealer.Tinba
              SAMPLE100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://piratedheat.top/api/launcherVersion0%Avira URL Cloudsafe
              https://piratedheat.top/api/json0%Avira URL Cloudsafe
              https://piratedheat.top/api/checkKey.php?api_key=0%Avira URL Cloudsafe
              https://piratedheat.top/api/launcherVersionAhttps://piratedheat.top/api/json0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info
              NameSourceMaliciousAntivirus DetectionReputation
              https://piratedheat.top/api/jsonPiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThePiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers?PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.newtonsoft.com/jsonPiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://piratedheat.top/api/launcherVersionAhttps://piratedheat.top/api/jsonPiratedLauncher.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://james.newtonking.com/projects/jsonPiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.comlPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.typography.netDPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/cabarga.htmlNPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cThePiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/staff/dennis.htmPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/frere-jones.htmlPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://piratedheat.top/api/checkKey.php?api_key=PiratedLauncher.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.newtonsoft.com/jsonschemaPiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPleasePiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers8PiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://piratedheat.top/api/launcherVersionPiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.nuget.org/packages/Newtonsoft.Json.BsonPiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fonts.comPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.urwpp.deDPleasePiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.zhongyicts.com.cnPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.sakkal.comPiratedLauncher.exe, 00000000.00000002.1106187579.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/JamesNK/Newtonsoft.JsonPiratedLauncher.exe, 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000000.00000002.1104800164.0000000003879000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1195281641.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, PiratedLauncher.exe, 00000002.00000002.1194342520.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      No contacted IP infos

                                                                      General Information

                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                      Analysis ID:1655143
                                                                      Start date and time:2025-04-03 01:31:09 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 3m 40s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:13
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:PiratedLauncher.exe
                                                                      Detection:MAL
                                                                      Classification:mal60.evad.winEXE@2/0@0/0
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 20.109.210.53, 184.31.69.3, 40.126.24.147, 23.33.40.141, 20.12.23.50
                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      No context

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.731249046113808
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:PiratedLauncher.exe
                                                                      File size:1'699'840 bytes
                                                                      MD5:9cf70e7720867826dbcfb024bb1beb90
                                                                      SHA1:dc2936155faa218a03ef98bcdcaa15b1cf7e45da
                                                                      SHA256:af21c3e996213f7b1b9b58363723990f423cfa846d824625ddf4977dd550e579
                                                                      SHA512:36033d9cdd625f5fd856c036516e6477c065976859f1a9a3a24a9e474549010586af6df97d4287d2b8d2979b5cee980bb9381532b3d2d4f021da54087112b1bf
                                                                      SSDEEP:24576:7RHQqWRHQqmRHQqZxkqjVnlqud+/2P+AnyFoBkkAd04wJAAh/jV1gJcPNZI6fnCk:7qhq5qixkqXfd+/9AyanywJAaD4qq
                                                                      TLSH:6975D0269EA5E85BE3B219BCE4F0D03E597C883A1D17D203AD950DD9AF76F9C7E40180
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f............"...0..`...........~... ........@.. .......................@............`................................

                                                                      File Icon

                                                                      Icon Hash:c996366b7b73b3e7

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x577e1e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0xF4F1661D [Tue Mar 23 04:57:01 2100 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x177dc80x53.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1780000x28a70.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a20000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x177d180x38.text
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x175e240x17600043de0c21288849b84527e3fa3e6d565bFalse0.8640495749080882data7.791525435429848IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x1780000x28a700x28c0060b966f21cafcbff52c206c050cf1be6False0.6659077837423313data6.949260871131346IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x1a20000xc0x200ade108c1f320ef9b0199b5793db4dab5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x1781a00xfdafPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0004003510770985
                                                                      RT_ICON0x187f600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.42353306518395833
                                                                      RT_ICON0x1987980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.5199574870099197
                                                                      RT_ICON0x19c9d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.5578838174273859
                                                                      RT_ICON0x19ef880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6146810506566605
                                                                      RT_ICON0x1a00400x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.675531914893617
                                                                      RT_GROUP_ICON0x1a04b80x5adata0.7666666666666667
                                                                      RT_VERSION0x1a05240x34cdata0.41232227488151657
                                                                      RT_MANIFEST0x1a08800x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain
                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      Comments
                                                                      CompanyName
                                                                      FileDescriptionPiratedLauncher
                                                                      FileVersion1.0.0.0
                                                                      InternalNamePiratedLauncher.exe
                                                                      LegalCopyrightCopyright 2024
                                                                      LegalTrademarks
                                                                      OriginalFilenamePiratedLauncher.exe
                                                                      ProductNamePiratedLauncher
                                                                      ProductVersion1.0.0.0
                                                                      Assembly Version1.0.0.0

                                                                      Network Behavior

                                                                      No network behavior found

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      050100s0.0010203040MB

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      • File
                                                                      • Registry

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:19:31:37
                                                                      Start date:02/04/2025
                                                                      Path:C:\Users\user\Desktop\PiratedLauncher.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\PiratedLauncher.exe"
                                                                      Imagebase:0x200000
                                                                      File size:1'699'840 bytes
                                                                      MD5 hash:9CF70E7720867826DBCFB024BB1BEB90
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1056274522.0000000000202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1104672970.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true
                                                                      Show Windows behavior

                                                                      File Activities

                                                                      Show Windows behavior

                                                                      Section Activities

                                                                      Show Windows behavior

                                                                      Registry Activities

                                                                      COM Activities

                                                                      Show Windows behavior

                                                                      Mutex Activities

                                                                      Show Windows behavior

                                                                      Process Activities

                                                                      Show Windows behavior

                                                                      Thread Activities

                                                                      Show Windows behavior

                                                                      Memory Activities

                                                                      Show Windows behavior

                                                                      System Activities

                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      Show Windows behavior

                                                                      Windows UI Activities

                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                      General

                                                                      Target ID:2
                                                                      Start time:19:31:48
                                                                      Start date:02/04/2025
                                                                      Path:C:\Users\user\Desktop\PiratedLauncher.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\PiratedLauncher.exe"
                                                                      Imagebase:0x740000
                                                                      File size:1'699'840 bytes
                                                                      MD5 hash:9CF70E7720867826DBCFB024BB1BEB90
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.1195281641.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true
                                                                      Show Windows behavior

                                                                      File Activities

                                                                      Show Windows behavior

                                                                      Section Activities

                                                                      Show Windows behavior

                                                                      Registry Activities

                                                                      COM Activities

                                                                      Show Windows behavior

                                                                      Mutex Activities

                                                                      Show Windows behavior

                                                                      Process Activities

                                                                      Show Windows behavior

                                                                      Thread Activities

                                                                      Show Windows behavior

                                                                      Memory Activities

                                                                      Show Windows behavior

                                                                      System Activities

                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      Show Windows behavior

                                                                      Windows UI Activities

                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                      Disassembly

                                                                      No disassembly