Windows Analysis Report
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Overview

General Information

Sample name: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
Analysis ID: 1502159
MD5: db2a12edc73769f2f2b6b01545afe2c3
SHA1: 73dc44fb0753296f51b851299f468031ceb77b54
SHA256: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 26.2.RegAsm.exe.1100000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["45.200.149.147:27667"], "Bot Id": "button1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Virustotal: Detection: 8% Perma Link
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe ReversingLabs: Detection: 39%
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Virustotal: Detection: 35% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Uses 32bit PE files
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose, 18_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037CD14 FindFirstFileW,FindClose, 18_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 18_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00373CE2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 20_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose, 20_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037CD14 FindFirstFileW,FindClose, 20_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 20_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 20_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00373CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\684126\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\684126 Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.200.149.147:27667
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003829BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 18_2_003829BA
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Intake.pif, 0000000A.00000000.1669006674.0000000000E99000.00000002.00000001.01000000.00000005.sdmp, TurtleHarbor.pif, 00000012.00000000.1688045792.00000000003D9000.00000002.00000001.01000000.00000008.sdmp, TurtleHarbor.pif, 00000014.00000000.1798912259.00000000003D9000.00000002.00000001.01000000.00000008.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003061000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: RegAsm.exe, 0000001F.00000002.3855499519.0000000002869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Intake.pif.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404BB4
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00384830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 18_2_00384830
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00384830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 20_2_00384830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00384632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 18_2_00384632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00370508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 18_2_00370508
Installs a raw input device (often for capturing keystrokes)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_24166278-4
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0039D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 18_2_0039D164
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0039D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 20_2_0039D164

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00374254: CreateFileW,DeviceIoControl,CloseHandle, 18_2_00374254
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00368F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 18_2_00368F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403415
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00375778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 18_2_00375778
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00375778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 20_2_00375778
Detected potential crypto function
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_0040447D 0_2_0040447D
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_0040680A 0_2_0040680A
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00406E34 0_2_00406E34
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0031B020 18_2_0031B020
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003194E0 18_2_003194E0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00319C80 18_2_00319C80
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003323F5 18_2_003323F5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00398400 18_2_00398400
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00346502 18_2_00346502
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0034265E 18_2_0034265E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0031E6F0 18_2_0031E6F0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033282A 18_2_0033282A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00320962 18_2_00320962
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003489BF 18_2_003489BF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00390A3A 18_2_00390A3A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00346A74 18_2_00346A74
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00320BE0 18_2_00320BE0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033CD51 18_2_0033CD51
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0036EDB2 18_2_0036EDB2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00378E44 18_2_00378E44
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00390EB7 18_2_00390EB7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00346FE6 18_2_00346FE6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003132C0 18_2_003132C0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003333B7 18_2_003333B7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033F409 18_2_0033F409
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0032D45D 18_2_0032D45D
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0032F628 18_2_0032F628
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00311663 18_2_00311663
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003316B4 18_2_003316B4
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0031F6A0 18_2_0031F6A0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003378C3 18_2_003378C3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033DBA5 18_2_0033DBA5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00331BA8 18_2_00331BA8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00319BD0 18_2_00319BD0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00349CE5 18_2_00349CE5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0032DD28 18_2_0032DD28
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033BFD6 18_2_0033BFD6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00331FC0 18_2_00331FC0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0031B020 20_2_0031B020
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003194E0 20_2_003194E0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00319C80 20_2_00319C80
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003323F5 20_2_003323F5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00398400 20_2_00398400
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00346502 20_2_00346502
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0034265E 20_2_0034265E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0031E6F0 20_2_0031E6F0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033282A 20_2_0033282A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00320962 20_2_00320962
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003489BF 20_2_003489BF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00390A3A 20_2_00390A3A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00346A74 20_2_00346A74
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00320BE0 20_2_00320BE0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033CD51 20_2_0033CD51
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0036EDB2 20_2_0036EDB2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00378E44 20_2_00378E44
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00390EB7 20_2_00390EB7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00346FE6 20_2_00346FE6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003132C0 20_2_003132C0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003333B7 20_2_003333B7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033F409 20_2_0033F409
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0032D45D 20_2_0032D45D
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0032F628 20_2_0032F628
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00311663 20_2_00311663
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003316B4 20_2_003316B4
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0031F6A0 20_2_0031F6A0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003378C3 20_2_003378C3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033DBA5 20_2_0033DBA5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00331BA8 20_2_00331BA8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00319BD0 20_2_00319BD0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00349CE5 20_2_00349CE5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0032DD28 20_2_0032DD28
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033BFD6 20_2_0033BFD6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00331FC0 20_2_00331FC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\684126\Intake.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00314DC0 appears 40 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00338B30 appears 84 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00321A36 appears 68 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00339FA5 appears 46 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 003339FB appears 36 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00321CB6 appears 49 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 0033312D appears 42 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00312111 appears 38 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00330D17 appears 140 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: String function: 00341B70 appears 60 times
Sample file is different than original file name gathered from version info
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe, 00000000.00000002.1652032736.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
Uses 32bit PE files
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@46/23@1/0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037A6AD GetLastError,FormatMessageW, 18_2_0037A6AD
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00368DE9 AdjustTokenPrivileges,CloseHandle, 18_2_00368DE9
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00369399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 18_2_00369399
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00368DE9 AdjustTokenPrivileges,CloseHandle, 20_2_00368DE9
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00369399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 20_2_00369399
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040400B
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00374148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 18_2_00374148
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00402218 CoCreateInstance, 0_2_00402218
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 18_2_0037443D
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif File created: C:\Users\user\AppData\Local\SecureData Technologies Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe File created: C:\Users\user\AppData\Local\Temp\nstCC4D.tmp Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe ReversingLabs: Detection: 39%
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe File read: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 684126
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VegetablesIndividualBindingGba" Ever
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Intake.pif C
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 684126 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VegetablesIndividualBindingGba" Ever Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Intake.pif C Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y" Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Static file information: File size 1414800 > 1048576
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00338B75 push ecx; ret 18_2_00338B88
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00338B75 push ecx; ret 20_2_00338B88

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif File created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif File created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif File created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 18_2_003959B3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00325EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 18_2_00325EDA
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_003959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 20_2_003959B3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00325EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 20_2_00325EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003333B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 18_2_003333B7
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE@\^Q
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE`,^Q
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \QEMU-GA.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: 2E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: 3060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: 2E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: CD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: 2840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: 4840000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Window / User API: threadDelayed 5110 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif TID: 7548 Thread sleep time: -51100s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe TID: 2088 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe TID: 1608 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Thread sleep count: Count: 5110 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00405B98 FindFirstFileW,FindClose, 0_2_00405B98
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406559
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_004029F1 FindFirstFileW, 0_2_004029F1
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose, 18_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037CD14 FindFirstFileW,FindClose, 18_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 18_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00373CE2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 20_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose, 20_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037CD14 FindFirstFileW,FindClose, 20_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 20_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 20_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00373CE2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00325D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 18_2_00325D13
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\684126\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\684126 Jump to behavior
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe`,^q
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \qemu-ga.exe@\^q
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003845D5 BlockInput, 18_2_003845D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 18_2_00325240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00345CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 18_2_00345CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405BBF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 18_2_003688CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033A354 SetUnhandledExceptionFilter, 18_2_0033A354
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0033A385
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033A354 SetUnhandledExceptionFilter, 20_2_0033A354
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0033A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_0033A385
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 1100000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 900000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 1100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: FF4000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 900000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 650000 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00369369 LogonUserW, 18_2_00369369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 18_2_00325240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00371AC6 SendInput,keybd_event, 18_2_00371AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003751E2 mouse_event, 18_2_003751E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 684126 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VegetablesIndividualBindingGba" Ever Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Intake.pif C Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & echo url="c:\users\user\appdata\local\securedata technologies\turtleharbor.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & exit
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & echo url="c:\users\user\appdata\local\securedata technologies\turtleharbor.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_003688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 18_2_003688CD
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00374F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 18_2_00374F1C
Source: Intake.pif, 0000000A.00000000.1668778484.0000000000E86000.00000002.00000001.01000000.00000005.sdmp, Intake.pif, 0000000A.00000003.1677117559.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, TurtleHarbor.pif, 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TurtleHarbor.pif Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002A63000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0033885B cpuid 18_2_0033885B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00350030 GetLocalTime,__swprintf, 18_2_00350030
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00350722 GetUserNameW, 18_2_00350722
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0034416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 18_2_0034416A
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe Code function: 0_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle, 0_2_00405C70
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5460, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: TurtleHarbor.pif Binary or memory string: WIN_81
Source: TurtleHarbor.pif Binary or memory string: WIN_XP
Source: TurtleHarbor.pif Binary or memory string: WIN_XPe
Source: TurtleHarbor.pif Binary or memory string: WIN_VISTA
Source: TurtleHarbor.pif Binary or memory string: WIN_7
Source: TurtleHarbor.pif Binary or memory string: WIN_8
Source: Intake.pif.1.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5460, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_0038696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 18_2_0038696E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 18_2_00386E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 18_2_00386E32
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_0038696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 20_2_0038696E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif Code function: 20_2_00386E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 20_2_00386E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502159 Sample: e6db7d34b498982601b2c45ac5b... Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 65 CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN 2->65 71 Found malware configuration 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 8 other signatures 2->77 10 e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe 22 2->10         started        12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 17 cmd.exe 2 10->17         started        89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->89 21 TurtleHarbor.pif 12->21         started        23 TurtleHarbor.pif 15->23         started        process6 file7 55 C:\Users\user\AppData\Local\...\Intake.pif, PE32 17->55 dropped 67 Drops PE files with a suspicious file extension 17->67 69 Uses schtasks.exe or at.exe to add and modify task schedules 17->69 25 Intake.pif 5 17->25         started        29 cmd.exe 2 17->29         started        31 conhost.exe 17->31         started        33 7 other processes 17->33 signatures8 process9 file10 59 C:\Users\user\AppData\...\TurtleHarbor.pif, PE32 25->59 dropped 61 C:\Users\user\AppData\...\TurtleHarbor.js, ASCII 25->61 dropped 63 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 25->63 dropped 81 Multi AV Scanner detection for dropped file 25->81 83 Drops PE files with a suspicious file extension 25->83 85 Writes to foreign memory regions 25->85 87 Injects a PE file into a foreign processes 25->87 35 RegAsm.exe 4 25->35         started        38 cmd.exe 2 25->38         started        41 cmd.exe 1 25->41         started        43 3 other processes 25->43 signatures11 process12 file13 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->79 45 conhost.exe 35->45         started        57 C:\Users\user\AppData\...\TurtleHarbor.url, MS 38->57 dropped 47 conhost.exe 38->47         started        49 conhost.exe 41->49         started        51 schtasks.exe 1 41->51         started        53 conhost.exe 43->53         started        signatures14 process15
No contacted IP infos

Contacted Domains

Name IP Active
CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.200.149.147:27667 true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown