Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1521604
MD5: 4fed3d45c6e03e3c723f2bae2678b6ca
SHA1: b6c5a52d130573f8facba126caf3f5f50c7e8d69
SHA256: 36dbd88e04005441a30022160e04c365b046526b4a384d6b32262f277746b7fe
Tags: NETexeMSILuser-jstrosch
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\update.exe Avira: detection malicious, Label: HEUR/AGEN.1307097
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\cabal.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\update.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\cabal.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\update.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Work\Misc\7zip\CS\SevenZipSharp\SevenZip\obj\Release\SevenZipSharp.pdb source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp, SevenZipSharp.dll.0.dr
Source: Binary string: C:\Users\Admin\Downloads\Launcher1\Launcher1\1\MMOParadox Expansion Launcher\cabal\obj\Remote Debug\cabal.pdbdc source: file.exe, cabal.exe.5.dr
Source: Binary string: C:\Users\Admin\Downloads\Launcher1\Launcher1\1\MMOParadox Expansion Launcher\update\obj\Debug\update.pdb source: update.exe, 00000005.00000000.1752033069.0000000000E92000.00000002.00000001.01000000.0000000E.sdmp, update.exe.0.dr
Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: file.exe, 00000000.00000002.1756047886.00000000035E4000.00000004.00000800.00020000.00000000.sdmp, System.Windows.Interactivity.dll.0.dr
Source: Binary string: C:\Users\Admin\Downloads\Launcher1\Launcher1\1\MMOParadox Expansion Launcher\cabal\obj\Remote Debug\cabal.pdb source: file.exe, cabal.exe.5.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-00000154h] 0_2_0301CD58
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0301D090h 0_2_0301CD58
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-00000154h] 0_2_0301CB0C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0301D090h 0_2_0301CB0C
Source: C:\Users\user\Desktop\update.exe Code function: 4x nop then mov eax, dword ptr [ebp-00000158h] 5_2_0EEF23D8
Source: C:\Users\user\Desktop\update.exe Code function: 4x nop then jmp 0EEF2722h 5_2_0EEF23D8
Source: C:\Users\user\Desktop\update.exe Code function: 4x nop then mov eax, dword ptr [ebp-00000158h] 5_2_0EEF23CF
Source: C:\Users\user\Desktop\update.exe Code function: 4x nop then jmp 0EEF2722h 5_2_0EEF23CF

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 194.233.88.151:80 -> 192.168.2.9:49716
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 23:01:43 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 18 Sep 2024 06:43:50 GMTETag: "599400-6225f20eeb75e"Accept-Ranges: bytesContent-Length: 5870592Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a6 76 ea 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3e 59 00 00 54 00 00 00 00 00 00 42 5d 59 00 00 20 00 00 00 60 59 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 59 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 5c 59 00 4f 00 00 00 00 60 59 00 80 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 59 00 0c 00 00 00 b8 5b 59 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 48 3d 59 00 00 20 00 00 00 3e 59 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 51 00 00 00 60 59 00 00 52 00 00 00 40 59 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 59 00 00 02 00 00 00 92 59 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 5d 59 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 69 00 00 78 7e 00 00 03 00 00 00 0a 00 00 06 20 e8 00 00 98 73 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 03 00 4e 00 00 00 01 00 00 11 00 28 07 00 00 06 00 28 06 00 00 06 00 28 1d 00 00 0a 02 fe 06 05 00 00 06 73 1e 00 00 0a 6f 1f 00 00 0a 00 00 28 03 00 00 06 26 7e 01 00 00 04 28 20 00 00 0a 16 9a 6f 21 00 00 0a 80 01 00 00 04 00 de 09 0a 00 06 73 be 00 00 06 7a 2a 00 00 01 10 00 00 00 00 24 00 20 44 00 09 17 00 00 01 13 30 01 00 14 00 00 00 01 00 00 11 00 04 6f 22 00 00 0a 74 17 00 00 01 0a 06 73 be 00 00 06 7a 0a 00 2a 00 13 30 04 00 d4 00 00 00 02 00 00 11 00 28 23 00 00 0a 0a 06 6f 24 00 00 0a 28 25 00 00 0a 0b 07 8e 69 17 fe 02 0c 08 2c 1c 00 72 01 00 00 70 72 51 00 00 70 16 1f 10 28 26 00 00 0a 26 17 28 27 00 00 0a 00 00 72 5d 00 00 70 28 25 00 00 0a 8e 69 17 fe 04 16 fe 01 0d 09 2c 1c 00 72 71 00 00 70 72 51 00 00 70 16 1f 10 28 26 00 00 0a 26 17 28 27 00 00 0a 00 00 72 bd 00 00 70 28 25 00 00 0a 8e 69 17 fe 04 16 fe 01 13 04 11 04 2c 1c 00 72 01 00 00 70 72 51 00 00 70 16 1f 10 28 26 00 00 0a 26 17 28 27 00 00 0a 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 23:01:50 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 16 Feb 2012 19:20:00 GMTETag: "24e00-4b919b6e27ec5"Accept-Ranges: bytesContent-Length: 151040Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 98 69 76 4c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 44 02 00 00 08 00 00 00 00 00 00 1e 63 02 00 00 20 00 00 00 80 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 02 00 00 02 00 00 7c 02 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 62 02 00 4b 00 00 00 00 80 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 0c 00 00 00 50 62 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 43 02 00 00 20 00 00 00 44 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 50 04 00 00 00 80 02 00 00 06 00 00 00 46 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 02 00 00 02 00 00 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 02 00 00 00 00 00 48 00 00 00 02 00 05 00 1c 2b 01 00 34 37 01 00 09 00 00 00 00 00 00 00 a8 03 01 00 71 27 00 00 50 20 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 26 13 04 10 f3 64 c3 b8 32 4d f8 fd af 30 1c 79 73 13 00 10 7c 36 8d 45 02 f7 c5 6e 9a 50 c5 c0 01 f0 17 06 d4 e6 8c 8d 3d c3 1d 40 a5 44 c7 06 79 c5 fb 5b b0 2c c8 0a 76 4c 43 9f 02 32 c4 40 d1 91 b7 d6 7b c1 90 b3 8b 10 5b 9f 8a 9c 72 2e f3 74 8a 01 e9 d8 65 bb 0a bb 34 c7 1d e1 42 31 d4 67 d3 57 51 50 0a ed fc 75 b7 43 b3 07 89 5b 4b 41 27 47 93 6f ef 46 79 d2 ca af 8b 08 cb c5 af 3e 83 1a b0 b5 87 aa 68 06 38 f6 3a 95 20 fa 03 b9 d4 40 84 ce f9 0b f3 67 8a 38 d0 71 95 fb 48 85 a2 09 52 2c 84 bf b1 88 19 28 9b b5 70 99 1e 86 eb 19 8e c1 5c 53 2c 93 fe e4 6e b3 e5 d4 73 9e b8 f4 a4 13 86 e9 3c ca eb 25 1d 38 ed 45 b6 ff 5a 58 ad ef b4 e5 9f e4 7d 15 47 cd fd 23 db c0 59 0f e4 cf 02 1d 2b 46 5a 50 08 5f c7 69 24 58 f8 79 04 41 3a 11 21 a1 d7 84 06 aa 74 03 30 03 00 4f 00 00 00 00 00 00 00 7e 1a 00 00 04 02 6f 15 00 00 0a 2d 10 7e 1a 00 00 04 02 73 16 00 00 0a 6f 17 00 00 0a 7e 1a 00 00 04 02 6f 18 00 00 0a 03 6f 19 00 00 0a 2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 23:01:51 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Sun, 02 Jun 2013 12:55:35 GMTETag: "9c00-4de2b5d2c7fc0"Accept-Ranges: bytesContent-Length: 39936Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 64 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 92 00 00 00 08 00 00 00 00 00 00 ae b0 00 00 00 20 00 00 00 c0 00 00 00 00 20 3b 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 86 0c 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c b0 00 00 4f 00 00 00 00 c0 00 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 0c 00 00 00 8c af 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 90 00 00 00 20 00 00 00 92 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a8 04 00 00 00 c0 00 00 00 06 00 00 00 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 00 00 00 02 00 00 00 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 b0 00 00 00 00 00 00 48 00 00 00 02 00 05 00 34 4f 00 00 58 60 00 00 09 00 00 00 00 00 00 00 78 44 00 00 b9 0a 00 00 50 20 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7b 63 e0 e9 de 32 0d f2 0d 7f 8e ca 71 17 84 5a 2c d1 b8 43 b5 08 04 ad 95 33 ef 6e d1 8e 5a 1c 1e 37 b6 fb 04 93 52 ea b3 f7 cf f5 d8 54 7f 7b 79 46 22 29 69 02 24 4a 4d 76 8f 87 b6 2c 61 b8 dd 93 d3 ee cd 55 81 a4 f8 4d 3a 2c da 0d 98 5a b3 51 3a 12 b0 63 7f c5 4e cc 7b a4 ab 17 07 3c f1 8c b9 de f2 f6 68 25 18 8b fa ab f2 b9 3a 73 b8 8d 54 d0 1a f7 5a b3 67 53 49 8c ec 0a fd 11 36 02 28 15 00 00 0a 02 7b 16 00 00 0a 2a 00 00 13 30 04 00 26 00 00 00 01 00 00 11 02 28 17 00 00 0a 02 0a 06 02 fe 06 18 00 00 0a 73 19 00 00 0a 6f 1a 00 00 0a 02 73 1b 00 00 0a 7d 1c 00 00 0a 2a 00 00 13 30 03 00 4b 00 00 00 02 00 00 11 02 28 1e 00 00 0a 02 7b 1c 00 00 0a 6f 1f 00 00 0a fe 01 0a 06 2c 33 16 0b 2b 26 02 07 28 20 00 00 0a 8c 0b 00 00 1b 02 7b 1c 00 00 0a 07 6f 21 00 00 0a 8c 0b 00 00 1b 2e 03 16 0a 2a 07 17 58 0b 07 02 28 1e 00 00 0a 32 d1 2a 00 13 30 05 00 4c 00 00 00 03 00 00 11 02 7b 1c 00 00 0a 03 6f 22 00 00 0a 2c 3d 28 23 00 00 0a
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Sep 2024 23:01:56 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 18 Sep 2024 06:43:49 GMTETag: "19a00-6225f20ed1e6b"Accept-Ranges: bytesContent-Length: 104960Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a5 76 ea 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 44 01 00 00 54 00 00 00 00 00 00 8e 63 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 63 01 00 4f 00 00 00 00 80 01 00 d4 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 0c 00 00 00 04 62 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 43 01 00 00 20 00 00 00 44 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 51 00 00 00 80 01 00 00 52 00 00 00 46 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 01 00 00 02 00 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 63 01 00 00 00 00 00 48 00 00 00 02 00 05 00 00 43 00 00 54 4e 00 00 03 00 00 00 0a 00 00 06 54 91 00 00 b0 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 03 00 4e 00 00 00 01 00 00 11 00 28 06 00 00 06 00 28 05 00 00 06 00 28 1c 00 00 0a 02 fe 06 07 00 00 06 73 1d 00 00 0a 6f 1e 00 00 0a 00 00 28 01 00 00 06 26 7e 01 00 00 04 28 1f 00 00 0a 16 9a 6f 20 00 00 0a 80 01 00 00 04 00 de 09 0a 00 06 73 7c 00 00 06 7a 2a 00 00 01 10 00 00 00 00 24 00 20 44 00 09 13 00 00 01 0a 00 2a 00 13 30 01 00 14 00 00 00 01 00 00 11 00 04 6f 21 00 00 0a 74 13 00 00 01 0a 06 73 7c 00 00 06 7a 13 30 03 00 7d 00 00 00 02 00 00 11 00 02 28 22 00 00 0a 0a 06 2c 65 00 02 19 17 73 23 00 00 0a 0b 73 24 00 00 0a 0c 08 07 6f 25 00 00 0a 0d 07 6f 26 00 00 0a 00 73 27 00 00 0a 13 04 16 13 05 2b 22 00 11 04 09 11 05 8f 5e 00 00 01 72 01 00 00 70 28 28 00 00 0a 6f 29 00 00 0a 26 00 11 05 17 58 13 05 11 05 09 8e 69 fe 04 13 06 11 06 2d d1 11 04 6f 20 00 00 0a 13 07 2b 0a 00 72 07 00 00 70 13 07 2b 00 11 07 2a 52 00 02 72 09 00 00 70 18 73 2a 00 00 0a 28 2b 00 00 0a 00 2a 00 00 13 30 01 00 16 00 00 00 03 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ep33//resources.xml HTTP/1.1Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33//resources.xml HTTP/1.1Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33//client/update.exe HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//client/7z.dll HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//client/SevenZipSharp.dll HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//client/System.Windows.Interactivity.dll HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//resources.xml HTTP/1.1Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33/client/cabal.exe HTTP/1.1Host: 194.233.88.151
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NEXINTO-DE NEXINTO-DE
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 194.233.88.151:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49714 -> 194.233.88.151:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49716 -> 194.233.88.151:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ep33//web/kmnkNIANBDUIbudbnIA.php?t=28/09/2024%2019:01:53 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.233.88.151Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: unknown TCP traffic detected without corresponding DNS query: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//resources.xml HTTP/1.1Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33//resources.xml HTTP/1.1Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33//client/update.exe HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//client/7z.dll HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//client/SevenZipSharp.dll HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//client/System.Windows.Interactivity.dll HTTP/1.1Host: 194.233.88.151
Source: global traffic HTTP traffic detected: GET /ep33//web/kmnkNIANBDUIbudbnIA.php?t=28/09/2024%2019:01:53 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33//resources.xml HTTP/1.1Host: 194.233.88.151Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ep33/client/cabal.exe HTTP/1.1Host: 194.233.88.151
Source: global traffic DNS traffic detected: DNS query: s4.gtsystems.hu
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Sep 2024 23:01:49 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Content-Length: 300Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 32 2e 31 32 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 32 33 33 2e 38 38 2e 31 35 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Server at 194.233.88.151 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Sep 2024 23:01:55 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Content-Length: 300Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 32 2e 31 32 20 53 65 72 76 65 72 20 61 74 20 31 39 34 2e 32 33 33 2e 38 38 2e 31 35 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Server at 194.233.88.151 Port 80</address></body></html>
Source: update.exe, 00000005.00000002.2604986761.0000000003A05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88
Source: file.exe, 00000000.00000002.1756047886.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1756047886.000000000339C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1756047886.00000000035E4000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.0000000003A05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151
Source: file.exe, cabal.exe.5.dr, update.exe.0.dr String found in binary or memory: http://194.233.88.151/ep33/
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/7z.dll
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/7z.dllP
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/SevenZipSharp.dll
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/SevenZipSharp.dllP
Source: file.exe, 00000000.00000002.1756047886.00000000035E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/System.Windows.Interactivity.dll
Source: file.exe, 00000000.00000002.1756047886.00000000035E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/System.Windows.Interactivity.dllP
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/update.exe
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//client/update.exeP
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.00000000037D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//resources.xml
Source: update.exe, 00000005.00000002.2604986761.0000000003A05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//web/kmnkNIANBDUIbudbnIA.php?t=28/09/2024
Source: update.exe, 00000005.00000002.2611915048.000000000680C000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000005.00000002.2617391786.000000000CA07000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000005.00000002.2617391786.000000000CA3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//web/kmnkNIANBDUIbudbnIA.php?t=28/09/2024%2019:01:53
Source: update.exe, 00000005.00000002.2611915048.000000000680C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//web/kmnkNIANBDUIbudbnIA.php?t=28/09/2024%2019:01:53B&
Source: update.exe, 00000005.00000002.2611915048.000000000680C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33//web/kmnkNIANBDUIbudbnIA.phpt=28/09/2024
Source: update.exe, 00000005.00000002.2604986761.0000000003721000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.233.88.151/ep33/client/cabal.exe
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/MainWindow.xaml
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/Resources/Themes/Generic.xaml
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/Resources/Themes/Generic.xamld
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/cabal;component/Resources/Images/cabal.png
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/cabal;component/Resources/Images/cabal.pngd
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/cabal;component/favicon.ico
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/cabal;component/favicon.icod
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibri.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibri.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibrib.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibrib.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibrii.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibrii.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibriz.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/calibriz.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-black.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-black.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-bold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-bold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-semibold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-semibold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-semilight.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp-semilight.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewp.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-black.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-black.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-bold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-bold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-light.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-light.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-semibold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-semibold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-semilight.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn-semilight.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/Resources/Fonts/segoewpn.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xaml
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xamld
Source: update.exe, 00000005.00000002.2614947145.0000000008892000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.comQ
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/MainWindow.xaml
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/MainWindow.xamld
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibri.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibri.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibrib.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibrib.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibrii.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibrii.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibriz.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/calibriz.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-black.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-black.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-bold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-bold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-semibold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-semibold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-semilight.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp-semilight.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewp.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-black.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-black.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-bold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-bold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-light.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-light.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-semibold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-semibold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-semilight.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn-semilight.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Fonts/segoewpn.ttfd
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Images/cabal.png
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Images/cabal.pngd
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Themes/Generic.xaml
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/Resources/Themes/Generic.xamld
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.baml
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.bamld
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/favicon.ico
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/favicon.icod
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/mainwindow.baml
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibri.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibri.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibrib.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibrib.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibrii.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibrii.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibriz.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/calibriz.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-black.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-black.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-bold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-bold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-semibold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-semibold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-semilight.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp-semilight.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewp.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-black.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-black.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-bold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-bold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-light.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-light.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-semibold.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-semibold.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-semilight.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn-semilight.ttfd
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn.ttf
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/fonts/segoewpn.ttfd
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/images/cabal.png
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/images/cabal.pngd
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/themes/generic.baml
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/resources/themes/generic.bamld
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xaml
Source: update.exe, 00000005.00000002.2604986761.0000000003884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xamld
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/favicon.ico
Source: file.exe, 00000000.00000002.1756047886.0000000003221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/favicon.icod
Source: file.exe, 00000000.00000002.1756047886.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.0000000003841000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.0000000003A2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.1756047886.000000000339C000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.0000000003A05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.0000000003841000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.2604986761.0000000003A2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SevenZipSharp.dll.0.dr String found in binary or memory: http://sevenzipsharp.codeplex.com/WorkItem/List.aspx
Detected potential crypto function
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_0EEF00A8 5_2_0EEF00A8
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_0EEF23D8 5_2_0EEF23D8
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_0EEF23CF 5_2_0EEF23CF
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1766460493.000000000D1C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupdate.exe: vs file.exe
Source: file.exe, 00000000.00000000.1344625350.0000000000F18000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecabal.exeB vs file.exe
Source: file.exe, 00000000.00000002.1754990741.000000000145E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1762583145.000000000C19E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupdate.exe: vs file.exe
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupdate.exe: vs file.exe
Source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSevenZipSharp.dll< vs file.exe
Source: file.exe, 00000000.00000002.1756047886.00000000035E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Windows.Interactivity.dll\ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamecabal.exeB vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.winEXE@3/16@1/1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Desktop\update.exe Jump to behavior
Source: C:\Users\user\Desktop\update.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\resources.xml Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\update.exe "C:\Users\user\Desktop\update.exe" mmoparadox
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\update.exe "C:\Users\user\Desktop\update.exe" mmoparadox Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: windowscodecsext.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: icm32.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\update.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Work\Misc\7zip\CS\SevenZipSharp\SevenZip\obj\Release\SevenZipSharp.pdb source: file.exe, 00000000.00000002.1756047886.0000000003458000.00000004.00000800.00020000.00000000.sdmp, SevenZipSharp.dll.0.dr
Source: Binary string: C:\Users\Admin\Downloads\Launcher1\Launcher1\1\MMOParadox Expansion Launcher\cabal\obj\Remote Debug\cabal.pdbdc source: file.exe, cabal.exe.5.dr
Source: Binary string: C:\Users\Admin\Downloads\Launcher1\Launcher1\1\MMOParadox Expansion Launcher\update\obj\Debug\update.pdb source: update.exe, 00000005.00000000.1752033069.0000000000E92000.00000002.00000001.01000000.0000000E.sdmp, update.exe.0.dr
Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: file.exe, 00000000.00000002.1756047886.00000000035E4000.00000004.00000800.00020000.00000000.sdmp, System.Windows.Interactivity.dll.0.dr
Source: Binary string: C:\Users\Admin\Downloads\Launcher1\Launcher1\1\MMOParadox Expansion Launcher\cabal\obj\Remote Debug\cabal.pdb source: file.exe, cabal.exe.5.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_03011315 pushfd ; iretd 0_2_03011319
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_03013A0B pushfd ; iretd 0_2_03013A19
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_03013A35 pushfd ; iretd 0_2_03013A19
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_030139DB pushad ; iretd 0_2_030139E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_03013EA3 push esp; retf 0_2_03013EB1
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_01D737D3 pushad ; iretd 5_2_01D737E1
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_01D737E3 pushfd ; iretd 5_2_01D73811
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_01D71745 pushfd ; iretd 5_2_01D71749
Source: C:\Users\user\Desktop\update.exe Code function: 5_2_01D7D889 pushad ; retf 5_2_01D7D895
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Desktop\System.Windows.Interactivity.dll Jump to dropped file
Source: C:\Users\user\Desktop\update.exe File created: C:\Users\user\Desktop\cabal.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Desktop\update.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Desktop\SevenZipSharp.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 3010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 3220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 5220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: 1D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: 3720000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: 5720000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: D160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: E2F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: E470000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\update.exe Memory allocated: E4F0000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 5972 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 3740 Jump to behavior
Source: C:\Users\user\Desktop\update.exe Window / User API: threadDelayed 2019 Jump to behavior
Source: C:\Users\user\Desktop\update.exe Window / User API: threadDelayed 1509 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\Desktop\System.Windows.Interactivity.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\Desktop\SevenZipSharp.dll Jump to dropped file
Source: file.exe, 00000000.00000002.1754990741.0000000001498000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: file.exe, 00000000.00000002.1762583145.000000000C28F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f Dynami
Source: file.exe, 00000000.00000002.1754990741.0000000001498000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.1754990741.0000000001498000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: update.exe, 00000005.00000002.2617391786.000000000CAB6000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000005.00000002.2601827349.00000000018A3000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000005.00000002.2618800291.000000000CAFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1754990741.0000000001498000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#'
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\update.exe "C:\Users\user\Desktop\update.exe" mmoparadox Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Users\user\Desktop\update.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\update.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521604 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 84 23 shadowman.dnse.hu 2->23 25 s4.gtsystems.hu 2->25 29 Suricata IDS alerts for network traffic 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 3 other signatures 2->35 7 file.exe 15 7 2->7         started        signatures3 process4 dnsIp5 27 194.233.88.151, 49706, 49713, 49714 NEXINTO-DE Germany 7->27 15 C:\Users\user\Desktop\update.exe, PE32 7->15 dropped 17 C:\Users\...\System.Windows.Interactivity.dll, PE32 7->17 dropped 19 C:\Users\user\Desktop\SevenZipSharp.dll, PE32 7->19 dropped 11 update.exe 14 31 7->11         started        file6 process7 file8 21 C:\Users\user\Desktop\cabal.exe, PE32 11->21 dropped 37 Antivirus detection for dropped file 11->37 39 Multi AV Scanner detection for dropped file 11->39 41 Machine Learning detection for dropped file 11->41 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.233.88.151
 unknown Germany
6659 NEXINTO-DE true

Contacted Domains

Name IP Active
shadowman.dnse.hu 185.6.188.137 true
s4.gtsystems.hu unknown unknown