Windows Analysis Report Ambrosial.exe

Overview

General Information

Sample Name: Ambrosial.exe
Analysis ID: 512228
MD5: 3480891869269773f85cf1cb389bbf96
SHA1: 6c08b67e2fb0f63788ad2fd7f74ba160eb507175
SHA256: 1fd73d2549cb9a36d4a27fd7ed6f9ba7aa0ff0e1103b4b96821de901152b118e
Tags: exe
Infos:

Most interesting Screenshot:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Writes to foreign memory regions
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
.NET source code contains process injector
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
IP address seen in connection with other malware
Entry point lies outside standard sections
Enables debug privileges
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Ambrosial.exe Virustotal: Detection: 38% Perma Link
Antivirus / Scanner detection for submitted sample
Source: Ambrosial.exe Avira: detected
Machine Learning detection for sample
Source: Ambrosial.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Ambrosial.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbg source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb/ source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: shcore.pdby source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: E:\buildslave\win\64x\ambrosial-64xR\Ambrosial\Ambrosial\obj\x64\Release\Ambrosial.pdb source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbK source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: combase.pdba source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbW source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\Guna.UI2\Build\Guna.UI2.WinForms\build\nuget\release\Guna.UI2.pdb source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 178.33.87.34 ports 45760,0,4,5,6,7
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /disepi/ambrosial/main/cachedclients.json HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /disepi/ambrosial/main/cachedclients.json HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /attachments/757752473690570865/882393335279534180/zephyrNewB.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/757752473690570865/882393335279534180/zephyrNewB.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/757752473690570865/882393335279534180/zephyrNewB.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/863628606516625408/866495749909643294/ZephyrBannerIcon-nxstBX5z.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/844005578808360960/yeeee.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/844005578808360960/yeeee.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/844005578808360960/yeeee.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835331120836378624/atani2.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835660013732626522/ataniclassic.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835660013732626522/ataniclassic.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835691740962226216/ataraxiaback.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835895405849739344/auroraback.png HTTP/1.1Host: cdn.discordapp.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49745 -> 178.33.87.34:45760
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: WerFault.exe, 00000007.00000002.363004473.0000000004620000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Ambrosial.exe, 00000003.00000003.542531599.0000020255DF7000.00000004.00000001.sdmp, Ambrosial.exe, 00000003.00000003.537582045.0000020255DF8000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: AppLaunch.exe, 00000004.00000002.414510553.000000000526D000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault$
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000004.00000002.416317845.000000000729C000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp, AppLaunch.exe, 00000004.00000002.417362319.00000000073DB000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15V
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16V
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp, AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000004.00000002.416317845.000000000729C000.00000004.00000001.sdmp, AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000004.00000002.416342243.00000000072A0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000004.00000002.416581209.0000000007315000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.311706017.000002023A912000.00000002.00020000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.311706017.000002023A912000.00000002.00020000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: Ambrosial.exe, 00000003.00000000.311706017.000002023A912000.00000002.00020000.sdmp String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Ambrosial.exe, 00000003.00000003.553045828.000002023BEFE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Ambrosial.exe, 00000003.00000003.553045828.000002023BEFE000.00000004.00000001.sdmp, Ambrosial.exe, 00000003.00000003.552544520.000002023BEFE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Ambrosial.exe, 00000003.00000003.522806659.000002024E28E000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Microsoft
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AppLaunch.exe, 00000004.00000002.416012073.0000000007201000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp String found in binary or memory: https://picsum.photos/624/191?blur=10GDownloaded
Source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp String found in binary or memory: https://raw.githubusercontent.com/disepi/ambrosial/main/cachedclients.json9JSON
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Ambrosial.exe, 00000000.00000002.315663583.0000000000448000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp, turbosquad_support417981.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: AppLaunch.exe, 00000004.00000002.418807573.0000000008257000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown DNS traffic detected: queries for: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /disepi/ambrosial/main/cachedclients.json HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /disepi/ambrosial/main/cachedclients.json HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /attachments/757752473690570865/882393335279534180/zephyrNewB.png HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/757752473690570865/882393335279534180/zephyrNewB.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/757752473690570865/882393335279534180/zephyrNewB.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/863628606516625408/866495749909643294/ZephyrBannerIcon-nxstBX5z.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/844005578808360960/yeeee.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/844005578808360960/yeeee.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/844005578808360960/yeeee.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835331120836378624/atani2.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835660013732626522/ataniclassic.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835660013732626522/ataniclassic.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835691740962226216/ataraxiaback.png HTTP/1.1Host: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/489891892142669842/835895405849739344/auroraback.png HTTP/1.1Host: cdn.discordapp.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown TCP traffic detected without corresponding DNS query: 178.33.87.34
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49748 version: TLS 1.2

System Summary:

barindex
PE file contains section with special chars
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 516
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 2_2_00519153
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_07040A60 4_2_07040A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_0704EA80 4_2_0704EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_09743A00 4_2_09743A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_0974BC58 4_2_0974BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_0974EF27 4_2_0974EF27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_0974EF28 4_2_0974EF28
PE file contains strange resources
Source: Ambrosial.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ambrosial.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Ambrosial.exe Section loaded: starttiledata.dll Jump to behavior
PE file contains more sections than normal
Source: turbosquad_support417981.exe.0.dr Static PE information: Number of sections : 12 > 10
Uses 32bit PE files
Source: Ambrosial.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File created: C:\Windows\Fonts\Azonix.otf Jump to behavior
PE file does not import any functions
Source: Ambrosial.exe.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGuna.UI2.dllD vs Ambrosial.exe
Source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Ambrosial.exe
Source: GunaDotNetRT64.dll.3.dr Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GunaDotNetRT64.dll.3.dr Static PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: turbosquad_support417981.exe.0.dr Static PE information: Section: ZLIB complexity 0.999274553571
Source: turbosquad_support417981.exe.0.dr Static PE information: Section: ZLIB complexity 0.997477213542
Source: turbosquad_support417981.exe.0.dr Static PE information: Section: ZLIB complexity 1.00016176189
Source: turbosquad_support417981.exe.0.dr Static PE information: Section: .boot ZLIB complexity 0.993467738002
Source: Ambrosial.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File created: C:\Users\user\Desktop\Azonix.otf Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/29@2/4
Source: C:\Users\user\Desktop\Ambrosial.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Ambrosial.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: Ambrosial.exe, 00000003.00000003.539083338.0000020255DFA000.00000004.00000001.sdmp Binary or memory string: bited.slnt
Source: Ambrosial.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\Ambrosial.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ambrosial.exe 'C:\Users\user\Desktop\Ambrosial.exe'
Source: C:\Users\user\Desktop\Ambrosial.exe Process created: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe 'C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe'
Source: C:\Users\user\Desktop\Ambrosial.exe Process created: C:\Users\user\AppData\Local\Temp\Ambrosial.exe 'C:\Users\user\AppData\Local\Temp\Ambrosial.exe'
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 516
Source: C:\Users\user\Desktop\Ambrosial.exe Process created: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe 'C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe' Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe Process created: C:\Users\user\AppData\Local\Temp\Ambrosial.exe 'C:\Users\user\AppData\Local\Temp\Ambrosial.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\Ambrosial.exe File created: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744
Source: Ambrosial.exe.0.dr, Ambrosial/Ambrosial/Classes/Cipher.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.turbosquad_support417981.exe.2e00000.0.unpack, ue03d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.turbosquad_support417981.exe.2e00000.0.unpack, ue061.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AppLaunch.exe.400000.0.unpack, ue03d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AppLaunch.exe.400000.0.unpack, ue061.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Ambrosial.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Ambrosial.exe Static file information: File size 27613184 > 1048576
Source: Ambrosial.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1a24c00
Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbg source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb/ source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Ambrosial.exe, 00000003.00000003.518981093.000002024D67F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: shcore.pdby source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: E:\buildslave\win\64x\ambrosial-64xR\Ambrosial\Ambrosial\obj\x64\Release\Ambrosial.pdb source: Ambrosial.exe, 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, Ambrosial.exe, 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbK source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: combase.pdba source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbW source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\Guna.UI2\Build\Guna.UI2.WinForms\build\nuget\release\Guna.UI2.pdb source: Ambrosial.exe, 00000003.00000003.523261595.00000202576B4000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.346772884.00000000048D7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.346758820.00000000048D0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.346735935.0000000004901000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: 00000003.00000000.313183186.000002023B312000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.317895432.0000000000E48000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ambrosial.exe PID: 5564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ambrosial.exe PID: 5472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe, type: DROPPED
.NET source code contains potential unpacker
Source: 2.3.turbosquad_support417981.exe.2e00000.0.unpack, ue05f.cs .Net Code: ? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.AppLaunch.exe.400000.0.unpack, ue05f.cs .Net Code: ? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push ecx; mov dword ptr [esp], eax 2_2_0061083B
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push ebx; mov dword ptr [esp], eax 2_2_0061096A
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push eax; mov dword ptr [esp], 0000012Ch 2_2_0061096F
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 6AA2E1E5h; mov dword ptr [esp], ebx 2_2_00610D28
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push ebp; mov dword ptr [esp], 6C4ACF19h 2_2_00610D3B
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 6358803Ch; mov dword ptr [esp], eax 2_2_00610E6F
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push ecx; mov dword ptr [esp], 31342D37h 2_2_00610E73
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push edi; mov dword ptr [esp], edx 2_2_006114B1
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push edx; mov dword ptr [esp], 4367C2FEh 2_2_006114B5
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 2C9C1313h; mov dword ptr [esp], edi 2_2_00611978
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 6CFA6BDCh; mov dword ptr [esp], ebx 2_2_006122F9
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 6219499Ah; mov dword ptr [esp], ebp 2_2_0061247C
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push esi; mov dword ptr [esp], 5E6F1367h 2_2_00612480
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push eax; mov dword ptr [esp], 435F574Fh 2_2_006126CF
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 270BC0BFh; mov dword ptr [esp], edx 2_2_006127A4
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push 5E176DEDh; mov dword ptr [esp], eax 2_2_0061292C
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push edi; mov dword ptr [esp], 0AFAE346h 2_2_00613002
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push esi; mov dword ptr [esp], ecx 2_2_00613023
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push ebx; mov dword ptr [esp], edx 2_2_00613039
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push eax; mov dword ptr [esp], 3DDCEF62h 2_2_0061306C
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push esi; mov dword ptr [esp], ebx 2_2_0061309D
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Code function: 2_2_00519153 push ebp; mov dword ptr [esp], ecx 2_2_006134E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_097438F5 pushad ; retf 4_2_097438F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_09744BCB pushfd ; ret 4_2_09744BCC
Binary contains a suspicious time stamp
Source: Ambrosial.exe.0.dr Static PE information: 0xEF876214 [Sun May 5 21:18:12 2097 UTC]
PE file contains sections with non-standard names
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name:
Source: turbosquad_support417981.exe.0.dr Static PE information: section name: .debug
Source: turbosquad_support417981.exe.0.dr Static PE information: section name: .B1uj23u
Source: turbosquad_support417981.exe.0.dr Static PE information: section name: .B1uj23u
Source: turbosquad_support417981.exe.0.dr Static PE information: section name: .boot
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains an invalid checksum
Source: Ambrosial.exe Static PE information: real checksum: 0x1a570a1 should be:
Source: Ambrosial.exe.0.dr Static PE information: real checksum: 0x0 should be:
Source: turbosquad_support417981.exe.0.dr Static PE information: real checksum: 0x191269 should be: 0x1958a2
Source: initial sample Static PE information: section name: entropy: 7.99696760481
Source: initial sample Static PE information: section name: entropy: 7.59666095342
Source: initial sample Static PE information: section name: .boot entropy: 7.95745327215

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Ambrosial.exe File created: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe File created: C:\Users\user\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll Jump to dropped file
Source: C:\Users\user\Desktop\Ambrosial.exe File created: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Jump to dropped file
Source: C:\Users\user\Desktop\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe RDTSC instruction interceptor: First address: 00007FFC6FB51F0F second address: 00007FFC6FB51F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007F21A0BC634Ch 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007F21A0BC6384h 0x0000003e rdtsc
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7088 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Window / User API: threadDelayed 808 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 7237 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 1415 Jump to behavior
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: WerFault.exe, 00000007.00000003.357268206.000000000466F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[&
Source: WerFault.exe, 00000007.00000002.363345368.000000000466F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP
Source: WerFault.exe, 00000007.00000002.363004473.0000000004620000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 505A008 Jump to behavior
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Message posted: Message id: QUERYENDSESSION Jump to behavior
.NET source code references suspicious native API functions
Source: Ambrosial.exe.0.dr, Ambrosial/Ambrosial/Utils.cs Reference to suspicious API methods: ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('GetProcAddress', 'GetProcAddress@kernel32'), ('CreateRemoteThread', 'CreateRemoteThread@kernel32.dll'), ('OpenProcess', 'OpenProcess@kernel32.dll')
.NET source code contains process injector
Source: Ambrosial.exe.0.dr, Ambrosial/Ambrosial/Utils.cs .Net Code: inject contains WriteProcessMemory and CreateRemoteThread reference
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Ambrosial.exe Process created: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe 'C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe' Jump to behavior
Source: C:\Users\user\Desktop\Ambrosial.exe Process created: C:\Users\user\AppData\Local\Temp\Ambrosial.exe 'C:\Users\user\AppData\Local\Temp\Ambrosial.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\turbosquad_support417981.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: turbosquad_support417981.exe, 00000002.00000000.333636504.0000000001430000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: turbosquad_support417981.exe, 00000002.00000000.333636504.0000000001430000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: turbosquad_support417981.exe, 00000002.00000000.333636504.0000000001430000.00000002.00020000.sdmp Binary or memory string: Progman
Source: turbosquad_support417981.exe, 00000002.00000000.333636504.0000000001430000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Ambrosial.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Azonix.otf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Azonix.otf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Azonix.otf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\OpenSansLight.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\OpenSansLight.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\OpenSansLight.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Ambrosial.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 6180, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: gl1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Ethereum\wallets
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: %appdata%\Ethereum\wallets
Source: AppLaunch.exe, 00000004.00000002.417474499.0000000007411000.00000004.00000001.sdmp String found in binary or memory: gl5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 6180, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 6180, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs