Windows Analysis Report
sample.exe

Overview

General Information

Sample Name: sample.exe
Analysis ID: 760788
MD5: 1a7ddd5e16d0fc9c3969d1c63e5c6cda
SHA1: ea07628e7506e8d68c12fa2236ffd9a05ab927fe
SHA256: 4cbd48893182071bbb208d732369b8ca73fb9fb027ef63b20a9bc6768aba3521
Tags: exe
Infos:

Detection

Cryptolocker, ObzCrypt
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected ObzCrypt Ransomware
Yara detected AntiVM3
Found ransom note / readme
Antivirus detection for URL or domain
Yara detected Cryptolocker ransomware
Infects executable files (exe, dll, sys, html)
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Drops executable to a common third party application directory
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Writes a notice file (html or txt) to demand a ransom
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: sample.exe Virustotal: Detection: 20% Perma Link
Antivirus detection for URL or domain
Source: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101%s Avira URL Cloud: Label: malware
Source: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101IUBIUGDE Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: sample.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: sample.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\Reader_19.012.20034\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: M:\Recovery\WindowsRE\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: M:\Recovery\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\Reader_19.012.20035\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: M:\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\S\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\Setup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\dbg\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\Setup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\CustomTraceProfiles\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventTranscript\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\OfflineSettings\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Scripts\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\WindowsAnalytics\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OFFICE\Heartbeat\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OFFICE\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\CellularUx\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Settings\Accounts\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Settings\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Spectrum\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Speech_OneCore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Storage Health\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\InboxTemplates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\Scripts\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\Templates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Default\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\NisBackup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\{186FBBD0-81E5-4485-9A0B-058B395708F3}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Features\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\LocalCopy\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\Support\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Quarantine\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\BackupStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\CacheManager\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReportLatency\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Results\Resource\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Results\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Service\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Store\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Support\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender Advanced Threat Protection\Temp\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender Advanced Threat Protection\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Inbox\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Queue\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\SentItems\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Security Health\Logs\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Security Health\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\Server\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\WindowsHolographicDevices\SpatialStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\WindowsHolographicDevices\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ReadMe.txt Jump to behavior
Source: sample.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Reflow.pdbRR source: Data1.cab.1.dr
Source: Binary string: PDDom.pdbiiH source: Data1.cab.1.dr
Source: Binary string: SaveAsRTF.pdbUU source: Data1.cab.1.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: Data1.cab.1.dr
Source: Binary string: Accessibility.pdbpp source: Data1.cab.1.dr
Source: Binary string: 2SxdsPt.pdb source: sample.exe
Source: Binary string: Accessibility.pdb source: Data1.cab.1.dr
Source: Binary string: D:\garuda_1890\esg\lilo\plugins\AdobeHunspellPlugin\6.1\binaries\VC.Net2010\Win32\Release\AdobeHunspellPlugin.pdb source: Data1.cab.1.dr
Source: Binary string: SaveAsRTF.pdb source: Data1.cab.1.dr
Source: Binary string: Reflow.pdb source: Data1.cab.1.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: Data1.cab.1.dr
Source: Binary string: D:\DCB\CBT_Main\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: PDDom.pdb source: Data1.cab.1.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: Data1.cab.1.dr
Source: Binary string: MakeAccessible.pdb source: Data1.cab.1.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\sample.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\sample.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\customizations.xml Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\CellularUx\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\sample.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02891330
Source: C:\Users\user\Desktop\sample.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_028914B0
Source: C:\Users\user\Desktop\sample.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_02891321

Networking
barindex
Found Tor onion address
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101%s
Source: sample.exe, 00000000.00000002.374003054.0000000003A99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101%s
Source: sample.exe, 00000001.00000000.359788457.000000000041A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101%s
Source: sample.exe, 00000001.00000002.588559208.000000000041A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101%s
Source: sample.exe, 00000001.00000002.588559208.000000000041A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101IUBIUGDE
Source: ReadMe.txt31.1.dr String found in binary or memory: 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101IUBIUGDE
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://createsoftware.users.sourceforge.net/code/synchronicity-version.txt
Source: Data1.cab.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Data1.cab.1.dr String found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: Data1.cab.1.dr String found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: Data1.cab.1.dr String found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000002.374003054.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000001.00000000.359788457.000000000041A000.00000040.00000400.00020000.00000000.sdmp, sample.exe, 00000001.00000002.588559208.000000000041A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101%s
Source: sample.exe, 00000001.00000002.588559208.000000000041A000.00000040.00000400.00020000.00000000.sdmp, ReadMe.txt31.1.dr String found in binary or memory: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101IUBIUGDE
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: Data1.cab.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s.symcd.com06
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/Xhttp://createsoftware.users.sourceforge.net/Vmailto:createsoft
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/code/bug.php
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/code/version.txt~http://synchronicity.sourceforge.net/code/sche
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/contribute.html
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/help.html
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/settings-help.html6Replicate
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://synchronicity.sourceforge.net/update.html
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Data1.cab.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Data1.cab.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Data1.cab.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325752832.0000000005B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Data1.cab.1.dr String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: sample.exe, 00000000.00000003.326038010.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: sample.exe, 00000000.00000003.326038010.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com$2
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: sample.exe, 00000000.00000003.326038010.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comt
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336190240.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330055944.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329998593.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329728157.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330867474.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330033628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330131406.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329966403.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329880143.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330091328.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329802620.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329756133.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330904569.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: sample.exe, 00000000.00000003.328555594.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328578598.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: sample.exe, 00000000.00000003.329651143.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: sample.exe, 00000000.00000003.329087928.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlegr
Source: sample.exe, 00000000.00000003.329279498.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329155625.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329248790.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329385253.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329119400.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329412169.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329431891.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329087928.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329331020.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlr-t
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: sample.exe, 00000000.00000003.328462442.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/s
Source: sample.exe, 00000000.00000003.329193707.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329155625.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329271068.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329400846.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329119400.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF
Source: sample.exe, 00000000.00000003.328826933.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328802016.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328879486.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329016206.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328921485.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328986977.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329087928.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329051713.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328852562.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF
Source: sample.exe, 00000000.00000003.336163504.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336190240.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336538052.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338221722.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.340726462.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338096459.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338325708.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336644849.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338190024.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.340971503.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.339269774.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.341078407.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.339476078.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000002.389588707.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.339946920.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328555594.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328578598.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336232497.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.361687581.0000000005B09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330055944.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329998593.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330867474.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330033628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330131406.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329966403.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329880143.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330091328.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330904569.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330200128.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330654224.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsa
Source: sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331430174.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331136138.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331029041.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330867474.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331486507.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331216016.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330961275.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331356024.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330930996.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330983884.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330904569.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330654224.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331273536.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331180923.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsdW
Source: sample.exe, 00000000.00000003.336190240.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336538052.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338221722.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338096459.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338325708.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336644849.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338190024.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336232497.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comce
Source: sample.exe, 00000000.00000003.328716237.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328776732.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328826933.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329193707.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328802016.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328879486.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329016206.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328921485.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329155625.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329271068.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329400846.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329119400.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328986977.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330654224.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: sample.exe, 00000000.00000003.328826933.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329561898.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329527987.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329193707.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328802016.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328879486.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329461201.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329016206.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328921485.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329155625.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329271068.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329400846.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329119400.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328986977.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329431891.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329087928.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329051713.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328852562.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdN
Source: sample.exe, 00000000.00000003.329561898.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329527987.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329193707.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329461201.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329155625.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329271068.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329400846.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329119400.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329431891.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329087928.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdiv
Source: sample.exe, 00000000.00000003.329651143.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdm
Source: sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330055944.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331136138.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331029041.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329998593.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330867474.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330033628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330131406.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329966403.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.331216016.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329880143.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330961275.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330091328.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329802620.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330930996.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comitudN
Source: sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330055944.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329998593.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330033628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330131406.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329966403.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329880143.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330091328.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329802620.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330200128.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330654224.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comj
Source: sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330131406.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330560932.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330491984.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330459079.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330200128.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330654224.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comttoF
Source: sample.exe, 00000000.00000003.336163504.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336190240.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336538052.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.338096459.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336644849.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.336232497.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comttvaj
Source: sample.exe, 00000000.00000003.328462442.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comtu2
Source: sample.exe, 00000000.00000003.328716237.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328776732.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328826933.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329561898.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330338733.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330055944.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329527987.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330426376.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330237338.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329193707.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329998593.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330522909.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328802016.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328879486.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329461201.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329016206.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328921485.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329728157.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330867474.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.329155625.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.330033628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comue
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: sample.exe, 00000000.00000003.326038010.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.324824935.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.324862836.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: sample.exe, 00000000.00000003.325435536.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325294477.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325339688.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325485810.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325540922.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325118238.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.325043183.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/U_
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: sample.exe, 00000000.00000003.332383195.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332417103.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332452493.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332616186.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332589202.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332354005.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.361580922.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332589202.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.332354005.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gnu.org/licenses/gpl.htmlxhttp://sourceforge.net/tracker/?group_id=264348&atid=1130882
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: sample.exe, 00000000.00000003.326537641.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327626805.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: sample.exe, 00000000.00000003.326613447.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326731204.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327240510.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326537641.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: sample.exe, 00000000.00000003.327661680.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327466680.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326731204.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327240510.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327551547.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327289880.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327372572.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327428526.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327704628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327500891.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327626805.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: sample.exe, 00000000.00000003.326451298.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326428293.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326478930.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326537641.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: sample.exe, 00000000.00000003.326613447.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327661680.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327466680.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326731204.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327739218.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327240510.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327551547.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326451298.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327289880.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327372572.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326428293.0000000005B07000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326478930.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327428526.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327704628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327500891.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326537641.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327428526.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327963793.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327704628.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327500891.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326537641.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327922182.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327626805.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: sample.exe, 00000000.00000003.326613447.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326731204.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
Source: sample.exe, 00000000.00000003.326613447.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326731204.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: sample.exe, 00000000.00000003.326731204.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.327038241.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326984591.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326952401.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326835560.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.326783162.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
Source: sample.exe, 00000000.00000003.335116775.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.M
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Data1.cab.1.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: Data1.cab.1.dr String found in binary or memory: http://www.symauth.com/cps09
Source: Data1.cab.1.dr String found in binary or memory: http://www.symauth.com/rpa04
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: sample.exe, 00000000.00000002.390950173.0000000006DC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0.
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000002.374003054.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000001.00000000.359788457.000000000041A000.00000040.00000400.00020000.00000000.sdmp, sample.exe, 00000001.00000002.588559208.000000000041A000.00000040.00000400.00020000.00000000.sdmp, ReadMe.txt31.1.dr String found in binary or memory: https://www.torproject.org/
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000002.374003054.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000001.00000000.359788457.000000000041A000.00000040.00000400.00020000.00000000.sdmp, sample.exe, 00000001.00000002.588559208.000000000041A000.00000040.00000400.00020000.00000000.sdmp, ReadMe.txt31.1.dr String found in binary or memory: https://yip.su/2QstD5
Creates a DirectInput object (often for capturing keystrokes)
Source: sample.exe, 00000000.00000002.363618196.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected ObzCrypt Ransomware
Source: Yara match File source: Process Memory Space: sample.exe PID: 3736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sample.exe PID: 1236, type: MEMORYSTR
Found ransom note / readme
Source: C:\ProgramData\Microsoft\Network\ReadMe.txt Dropped file: Attention! All your files, documents, photos, databases and other important files are encryptedThe only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.The server with your decryptor is in a closed network TOR. You can get there by the following ways:----------------------------------------------------------------------------------------1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101IUBIUGDE 5. and open ticket ----------------------------------------------------------------------------------------Alternate communication channel here: https://yip.su/2QstD5 Jump to dropped file
Yara detected Cryptolocker ransomware
Source: Yara match File source: Process Memory Space: sample.exe PID: 3736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sample.exe PID: 1236, type: MEMORYSTR
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Microsoft\Network\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Microsoft\OFFICE\Heartbeat\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Microsoft\OFFICE\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Adobe\ARM\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Adobe\Setup\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\ProgramData\Adobe\ARM\Reader_19.012.20034\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\Recovery\WindowsRE\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Source: C:\Users\user\Desktop\sample.exe File dropped: C:\Recovery\ReadMe.txt -> attention! all your files, documents, photos, databases and other important files are encryptedthe only method of recovering files is to purchase an unique decryptor. only we can give you this decryptor and only we can recover your files.the server with your decryptor is in a closed network tor. you can get there by the following ways:----------------------------------------------------------------------------------------1. download tor browser - https://www.torproject.org/ 2. install tor browser 3. open tor browser 4. open link in tor browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?101iubiugde 5. and open ticket ----------------------------------------------------------------------------------------alternate communication channel here: https://yip.su/2qstd5 Jump to dropped file
Uses 32bit PE files
Source: sample.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\sample.exe Code function: 0_2_028914B0 0_2_028914B0
Source: C:\Users\user\Desktop\sample.exe Code function: 0_2_0297EF51 0_2_0297EF51
Source: C:\Users\user\Desktop\sample.exe Code function: 0_2_0297EF60 0_2_0297EF60
Source: C:\Users\user\Desktop\sample.exe Code function: 0_2_0297CC54 0_2_0297CC54
Source: C:\Users\user\Desktop\sample.exe Code function: 0_2_0501ED80 0_2_0501ED80
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\sample.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: sample.exe, 00000000.00000002.369817285.0000000002C26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCassa.dll< vs sample.exe
Source: sample.exe, 00000000.00000002.382683634.0000000003E09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs sample.exe
Source: sample.exe, 00000000.00000002.446706097.0000000007520000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs sample.exe
Source: sample.exe, 00000000.00000000.318218538.00000000005C4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename2SxdsPt.exe< vs sample.exe
Source: sample.exe, 00000000.00000002.369623681.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs sample.exe
Source: sample.exe, 00000000.00000002.367808455.0000000002A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCassa.dll< vs sample.exe
Source: sample.exe, 00000000.00000002.363618196.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs sample.exe
Source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSetup.exeF vs sample.exe
Source: sample.exe Binary or memory string: OriginalFilename2SxdsPt.exe< vs sample.exe
Source: sample.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sample.exe Virustotal: Detection: 20%
Source: sample.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sample.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\sample.exe C:\Users\user\Desktop\sample.exe
Source: C:\Users\user\Desktop\sample.exe Process created: C:\Users\user\Desktop\sample.exe {path}
Source: C:\Users\user\Desktop\sample.exe Process created: C:\Users\user\Desktop\sample.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sample.exe.log Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\ReadMe.txt Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.evad.winEXE@3/128@0/0
Source: C:\Users\user\Desktop\sample.exe File read: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini Jump to behavior
Source: sample.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\sample.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: sample.exe, 00000000.00000003.328309019.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328345968.0000000005B08000.00000004.00000800.00020000.00000000.sdmp, sample.exe, 00000000.00000003.328378265.0000000005B08000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Trademark of Stephenson Blake (Holdings) Ltd.slntP
Source: C:\Users\user\Desktop\sample.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini Jump to behavior
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/lf63PAE3O9o8wFDstB6.cs Cryptographic APIs: 'CreateDecryptor'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/lf63PAE3O9o8wFDstB6.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: sample.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: sample.exe Static file information: File size 1054208 > 1048576
Source: sample.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: sample.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x100c00
Source: sample.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: sample.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Reflow.pdbRR source: Data1.cab.1.dr
Source: Binary string: PDDom.pdbiiH source: Data1.cab.1.dr
Source: Binary string: SaveAsRTF.pdbUU source: Data1.cab.1.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: Data1.cab.1.dr
Source: Binary string: Accessibility.pdbpp source: Data1.cab.1.dr
Source: Binary string: 2SxdsPt.pdb source: sample.exe
Source: Binary string: Accessibility.pdb source: Data1.cab.1.dr
Source: Binary string: D:\garuda_1890\esg\lilo\plugins\AdobeHunspellPlugin\6.1\binaries\VC.Net2010\Win32\Release\AdobeHunspellPlugin.pdb source: Data1.cab.1.dr
Source: Binary string: SaveAsRTF.pdb source: Data1.cab.1.dr
Source: Binary string: Reflow.pdb source: Data1.cab.1.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: Data1.cab.1.dr
Source: Binary string: D:\DCB\CBT_Main\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: sample.exe, 00000001.00000003.387126250.000000000468D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: PDDom.pdb source: Data1.cab.1.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: Data1.cab.1.dr
Source: Binary string: MakeAccessible.pdb source: Data1.cab.1.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/zdmDC9hPQUqfXeV0FX.cs .Net Code: P02eMAuLLrKhk0ay8we System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/lf63PAE3O9o8wFDstB6.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Binary contains a suspicious time stamp
Source: sample.exe Static PE information: 0xD70427CD [Mon Apr 24 00:16:13 2084 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.299387401607024
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/lf63PAE3O9o8wFDstB6.cs High entropy of concatenated method names: '.cctor', 'jHRY6aCS1WEi6', 'EQWx9EpB7C', 'zr6xbDdaav', 'QZCxksfWNi', 'S6KxLyZkE7', 'WjpxI4ogqN', 'U7IxJPTLxS', 'BBbx8JhQ6x', 'WG3xwgf2sv'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/Qdc07RjMGkfRPd19Y0.cs High entropy of concatenated method names: 'Dispose', 'swCmYLGO3i', 'tPo8e2k9NA', 'y0N8ZvxlbF', 'YDf8fcCbbO', 'mdN8EGX9sy', 'uxn8MM42Us', 'ovH84Safus', 'uLq8dkeo9l', 'ESs8cFuPrl'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/z1hnHJNg7xIgkBJxoj.cs High entropy of concatenated method names: 'Dispose', 'o3nfYfGF4H', 'f7VuWD7GS0', 'MMgu0J9cTP', 'Q48uD7GHC4', 'ysyuKSlRKE', 'vW7uefpI41', 'N69uZPius6', 'DRwufY1DXp', 'tZYuEefb8N'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/i6I8MyHy99Qu7PRWqx.cs High entropy of concatenated method names: 'Dispose', 'w98m161wrk', 'mKKA7EffMk', 'eDrAU9h0xu', 'It3AnIfcMo', 'jw9AyGQR9A', 'jBHAV7CK42', 'vm3AqAcAGc', 'uO6Az60obV', 'xGQ8kS0dKh'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/BI2SOfWjiXPlSSYNTN.cs High entropy of concatenated method names: '.cctor', '.ctor', 'LiovtdY9C6', 'cPTv6UJZdy', 'HDivgpRB7H', 'aAKvKttqT8', 'tH0vseWqda', 'HfevSTtIaB', 'nEyvl2XdkO', 'mbtvFZlOyq'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/NMY1gSc6aU9xeD9NW6.cs High entropy of concatenated method names: '.ctor', 'dewvNK5qOF', 'm02vnjyCWv', 'HYcvOyDhB7', 'isYv4jgieJ', 'WpIv34fJwg', 'NPEvraCK0v', 'dX8vcnV8EK', 'WvsvekJn7w', 'RKEvWmVXKD'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/ApvLr1nKRFtU8jaHHq.cs High entropy of concatenated method names: '.cctor', 'AJ8B76gQx6', 'TGPBYBbg4L', '.ctor', 'ioWBdjOoGW', 'ktJBtH4Ibv', 'tRKB6YANgj', 'We9BgjlgYe', 'StVBKG2RGq', 'aG4BsE22ZL'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/i1y7k6vRGS8p93mbJ2.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'kp1dhnHJg', 'lrJaIcV9AM', 'AOCa9Yh90H', 'jfSasHUEPy', 'sWQaTaY9rn', 'LA5a299r8t', 'OwBabPmngx', 'sPaaNVfZwT'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/DNjZwR3KJFTYF5yfSe.cs High entropy of concatenated method names: '.ctor', 'z08BIKjfMj', 'spNBJC7mIB', 'z8cB87f7k4', 'FlBBwobmF3', 'nChBidiQj8', 'Vi3BVE69aa', 'x8xBTxu6JA', 'oTbBzfJMvP', 'Si8vDpFqcF'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/A88FPSdUB0UskpLWOA.cs High entropy of concatenated method names: '.ctor', 'WT91nQnqXo', 'mXP1O4cNd4', 'b5G14Ls7lw', 'NNS13N8Pdi', 'Gwd1rR1ain', 'uSZ1cCEess', 'Yae1eveC0Z', 'qmj1WAJoPD', 'ten1XIYCeD'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/Sd7KM75D7O360QuKmw.cs High entropy of concatenated method names: 'Dispose', 'rgBEysmkME', 'Yg4wMdFTIP', 'XHGw480EFf', 'Aefwf3E3U8', 'c1rwENani5', '.ctor', 'xQeECRvIqO', 'dYYEuNKvka', 'q1QHGKU6ib3enhPKoEb'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/weHqtcLYBGMTgy6Coh.cs High entropy of concatenated method names: '.ctor', 'GjfqM3CrCh', 'NFHqGnV6NR', 'FtBq79uOw5', 'agJqYbKQTF', 'l7SqdpwmNp', 'H8YqtaKeAT', 'pwQq6svH6A', 'fachTdMaMhWLi7e8FXP', 'evpKRbMoIDc2m3mOEtR'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/zdmDC9hPQUqfXeV0FX.cs High entropy of concatenated method names: 'DNeEkOYDDf', 'Dispose', 'dFgELyswh2', 'JcxEIEUITh', 'UgPEJNxpCZ', 'ah3E8uRglv', 'N8xwdpPWPi', 'sXMwcv66I6', 'RcSwiRi0MV', 'IfywmGibcu'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/tPwP6qaw284lf1OfB9.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'fIREcERZnI', 'u2gwCOaqng', 'g9lwomVlaF', 'x2mwOnYCjm', 'qfBwtQBdxV', 'oX8waT0Lvq', 'xG7wwn2qvQ', 'fM8wAtIQsY'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/RQcVSFxcWSEd7gv0iq.cs High entropy of concatenated method names: '.cctor', 'srfE0AOPT8', 'R95Ea7puxy', 'dHiEEl1onV', 'tqWERKWdk1', 'mDmEmVC1B9', 'O5TEQl7FVp', 'YKREfOhwXG', 'YEtEoDHlel', 'oOOEBldA79'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/m2scxEJUITh8gPNxpC.cs High entropy of concatenated method names: 'vtoqSliwUg', 'qRToj0MCTGL9EO7cSoX', 'FCh0MtMTvSqKTA3soq8', 'pSoFtaMVwbuANsdVchO', 'WS3VnRMw3jCIUAodsT9', 'DPpKt4Me8hUr9xgEWN6', 'iQMFITMWw8ypwrUScBr', 'Ur3cLMMqhp9DARSIYeK', 'XXBK39M4mTmKDg5pXm4', 'kM3o8KM5UwoaH0HwMli'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/miX7gqi5NvIsfKk34D.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'fqvqi7JvMu', 'FLbFxOHGrQ', 'GGcFvHCCLN', 'PodFhn63vw', 'NuWFGLsdxA', 'WYeF7oXqgj', 't0UFU7EwW8', 'GtfF51lpcR'
Source: sample.exe, H1Q3v6Eb2BZtV0V3vj/lhZmTYwr53XJZcU2Fo.cs High entropy of concatenated method names: '.ctor', 'JkNqCsirtM', 'tUcquAwPru', 'lfCqPYy3TW', 'Os5q9nw86o', 'Dispose', 'C0tqbl5mAm', 'nV0FNKeiBx', 'eWOFX0uscc', 'HfCF1sEO4O'

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\sample.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\sample.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\Reader_19.012.20034\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: M:\Recovery\WindowsRE\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: M:\Recovery\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\Reader_19.012.20035\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: M:\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\S\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ARM\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\Setup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Adobe\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\dbg\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\Setup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\MachineKeys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\DSS\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\Keys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\WindowsAIK\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\PCPKSP\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\SystemKeys\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Task\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DeviceSync\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\AsimovUploader\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\CustomTraceProfiles\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedScenarios\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\DownloadedSettings\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\AutoLogger\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ETLLogs\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventTranscript\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\LocalTraceStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\OfflineSettings\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Scripts\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Sideload\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Siufloc\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLanding\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\SoftLandingStage\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\WindowsAnalytics\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\Server\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\DRM\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MapData\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\BreadcrumbStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\NetFramework\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Connections\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OFFICE\Heartbeat\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\OFFICE\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\CellularUx\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{bf56ce5a-946b-45b5-858a-1794eb0125e2}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\RunTime\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\Prov\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Temp\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Settings\Accounts\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Settings\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Spectrum\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Speech_OneCore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Storage Health\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\InboxTemplates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\Scripts\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\Templates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\UEV\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Vault\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WDF\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Default\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\NisBackup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\{186FBBD0-81E5-4485-9A0B-058B395708F3}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Features\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\LocalCopy\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\Support\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Network Inspection System\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Quarantine\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\BackupStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\CacheManager\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReportLatency\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Results\Resource\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Results\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Service\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\Store\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\History\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Support\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender Advanced Threat Protection\Temp\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender Advanced Threat Protection\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Common Coverpages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Inbox\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\Queue\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\SentItems\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Security Health\Logs\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Security Health\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\Server\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WinMSIPC\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\WwanSvc\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\setup\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft OneDrive\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\installcache\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\Java\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Oracle\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\regid.1991-06.com.microsoft\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\SoftwareDistribution\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\WindowsHolographicDevices\SpatialStore\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\WindowsHolographicDevices\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: sample.exe PID: 3736, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Users\user\Desktop\sample.exe Section loaded: C:\Users\user\Desktop\sample.exe Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Section loaded: C:\Users\user\Desktop\sample.exe Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sample.exe TID: 644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\sample.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\Prov\RunTime\ Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\customizations.xml Jump to behavior
Source: C:\Users\user\Desktop\sample.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Provisioning\AssetCache\CellularUx\ Jump to behavior
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: sample.exe, 00000000.00000002.369532104.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\sample.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\sample.exe Memory written: C:\Users\user\Desktop\sample.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\sample.exe Process created: C:\Users\user\Desktop\sample.exe {path} Jump to behavior
Source: Data1.cab.1.dr Binary or memory string: gHExitMaximize&Click to activateShell_TrayWndTrayNotifyWndp
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Users\user\Desktop\sample.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Queries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sample.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 760788 Sample: sample.exe Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Found ransom note / readme 2->28 30 8 other signatures 2->30 6 sample.exe 3 2->6         started        process3 file4 14 C:\Users\user\AppData\...\sample.exe.log, ASCII 6->14 dropped 32 Tries to detect sandboxes / dynamic malware analysis system (file name check) 6->32 34 Writes a notice file (html or txt) to demand a ransom 6->34 36 Injects a PE file into a foreign processes 6->36 10 sample.exe 187 491 6->10         started        signatures5 process6 file7 16 C:\Recovery\WindowsRE\ReadMe.txt, ASCII 10->16 dropped 18 C:\Recovery\ReadMe.txt, ASCII 10->18 dropped 20 C:\ProgramData\Microsoft\OFFICE\ReadMe.txt, ASCII 10->20 dropped 22 10 other files (8 malicious) 10->22 dropped 38 Drops executable to a common third party application directory 10->38 40 Infects executable files (exe, dll, sys, html) 10->40 signatures8
No contacted IP infos