Windows Analysis Report
p2K.exe

Overview

General Information

Sample name: p2K.exe
Analysis ID: 1521694
MD5: b8974a6a9406e8c8d4345f6dcba034b2
SHA1: 4f4d2e7e11bce3c45abb0fb182513627357be9a2
SHA256: 6a6b6d460945b063180ee5a4580d29ee01f3bd1a2c5c82684512093e3655ba00
Infos:

Detection

Score: 35
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

AI detected suspicious sample
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.3% probability
Uses 32bit PE files
Source: p2K.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\p2K.exe File opened: C:\ProgramData\assignee\msvcr100.dll Jump to behavior
Source: p2K.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: p2K.exe, 00000000.00000000.2111554546.000000000101C000.00000002.00000001.01000000.00000003.sdmp, p2K.exe, 00000000.00000002.2194961597.000000000101C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\win32api.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369844568.000000006CA7E000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: msvcr100.i386.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3370644200.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, assignee.exe, 00000004.00000002.2317109606.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: ,C:\Users\martin\34\python\PCbuild\_socket.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3373393865.0000000074A97000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\python34.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3370875187.000000006CCFE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\win32api.pdb. source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369844568.000000006CA7E000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\pywintypes.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369736236.000000006CA5C000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\pywintypes.pdb( source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369736236.000000006CA5C000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_tkinter.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369628655.000000006CA37000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: &C:\Users\martin\34\python\PCbuild\_ssl.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3371772116.000000006D440000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_ssl.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3371772116.000000006D440000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: p[,C:\Users\martin\34\python\PCbuild\unicodedata.pdb)6 source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_socket.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3373393865.0000000074A97000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\unicodedata.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 9'C:\Users\martin\34\python\PCbuild\_tkinter.pdbif source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369628655.000000006CA37000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: -C:\Users\martin\34\python\PCbuild\python34.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3370875187.000000006CCFE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_ctypes.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3372735764.000000006D51F000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ,C:\Users\martin\34\python\PCbuild\_ctypes.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3372735764.000000006D51F000.00000002.00000001.01000000.0000000D.sdmp
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FEF826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00FEF826
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01001630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_01001630
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01011FF8 FindFirstFileExA, 0_2_01011FF8
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DFE00 CreateFileW,GetFileInformationByHandle,CloseHandle,_errno,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetFileAttributesExW,GetLastError,GetLastError,FindFirstFileW,GetLastError,TclWinConvertError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 4_2_6C9DFE00
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DEF60 Tcl_FSGetNormalizedPath,Tcl_FSGetInternalRep,GetFileAttributesW,Tcl_GetStringFromObj,Tcl_DStringAppend,Tcl_DStringAppend,strpbrk,Tcl_DStringAppend,Tcl_WinUtfToTChar,FindFirstFileExW,FindFirstFileW,GetLastError,Tcl_DStringFree,TclWinConvertError,Tcl_PosixError,Tcl_ObjPrintf,Tcl_SetObjResult,Tcl_DStringFree,Tcl_DStringFree,Tcl_DStringSetLength,Tcl_ExternalToUtfDString,Tcl_StringCaseMatch,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_ListObjAppendElement,Tcl_DStringFree,FindNextFileW,FindClose,Tcl_DStringFree,Tcl_FSGetNormalizedPath,Tcl_GetString,Tcl_FSGetInternalRep,GetFileAttributesExW,Tcl_ListObjAppendElement, 4_2_6C9DEF60
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9E0590 Tcl_GetString,Tcl_UtfToExternalDString,GetFileAttributesExW,Tcl_AppendLimitedToObj,Tcl_GetString,Tcl_GetString,TclFreeObj,TclpFree,TclpFree,FindFirstFileW,FindClose,Tcl_DStringAppend,Tcl_DStringAppend,TclpFree,Tcl_DStringAppend,TclpFree,Tcl_ExternalToUtfDString,Tcl_NewStringObj,Tcl_AppendLimitedToObj,Tcl_GetString,Tcl_SetStringObj,TclFreeObj,Tcl_SetStringObj,TclpFree,TclpFree,TclFreeObj, 4_2_6C9E0590
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DDD00 Tcl_FSSplitPath,Tcl_ListObjIndex,Tcl_GetString,Tcl_FSJoinPath,Tcl_GetString,Tcl_UtfToExternalDString,TclFreeObj,FindFirstFileW,GetFileAttributesW,Tcl_DStringFree,Tcl_FSJoinPath,TclFreeObj,Tcl_ExternalToUtfDString,Tcl_DStringFree,TclpAlloc,Tcl_Panic,Tcl_AppendToObj,Tcl_DStringFree,Tcl_ListObjReplace,FindClose,Tcl_DStringFree,TclFreeObj,Tcl_GetString,Tcl_ObjPrintf,Tcl_SetObjResult,_errno,_errno,_errno,Tcl_ErrnoMsg,Tcl_ErrnoId,Tcl_SetErrorCode, 4_2_6C9DDD00
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DD710 GetFileAttributesW,Tcl_DStringAppend,Tcl_DStringSetLength,FindFirstFileW,GetLastError,TclWinConvertError,GetLastError,_errno,Tcl_DStringSetLength,Tcl_DStringSetLength,FindClose,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringSetLength,Tcl_DStringSetLength,FindNextFileW,FindClose,Tcl_DStringSetLength,Tcl_DStringSetLength,Tcl_DStringSetLength,Tcl_DStringSetLength,_errno,Tcl_ExternalToUtfDString, 4_2_6C9DD710
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/)
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#Attribution
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#CommercialUse
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#Distribution
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#Notice
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#Reproduction
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#ShareAlike
Source: p2K.exe, 00000000.00000003.2176583196.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3366840751.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp, assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: assignee.exe, 00000002.00000002.3370875187.000000006CCFE000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369889725.000000006CA88000.00000002.00000001.01000000.00000020.sdmp, assignee.exe, 00000004.00000002.2316308925.000000006CA88000.00000002.00000001.01000000.00000020.sdmp String found in binary or memory: http://pywin32.sourceforge.net
Source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369781184.000000006CA6A000.00000002.00000001.01000000.00000021.sdmp String found in binary or memory: http://pywin32.sourceforge.net0
Source: p2K.exe, 00000000.00000003.2176583196.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3366840751.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp, assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://support.apple.com/kb/HT1343
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tango.freedesktop.org/Tango_Desktop_Project
Source: assignee.exe, assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r)
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inkscape.org/)
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inria.fr/koala/colas/mouse-wheel-scroll/
Source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3371772116.000000006D440000.00000002.00000001.01000000.00000026.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3371772116.000000006D440000.00000002.00000001.01000000.00000026.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/sax/properties/encoding
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/sax/properties/interning-dict
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces
Source: assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/string-interning
Source: assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/validation
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/dom-node
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: assignee.exe String found in binary or memory: http://xml.org/sax/properties/lexical-handlerz1http://xml.org/sax/properties/declaration-handlerz&ht
Source: assignee.exe, 00000002.00000002.3368055604.0000000004430000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313916217.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: assignee.exe, 00000002.00000002.3367817874.00000000042F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://blockchain.info/q/getreceivedbyaddress/
Source: p2K.exe, 00000000.00000003.2176583196.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3366840751.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp, assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://github.com/pypa/packagingz
Source: assignee.exe, assignee.exe, 00000004.00000002.2311024840.0000000000EC1000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://nuitka.net/info/segfault.html
Source: p2K.exe, 00000000.00000003.2176583196.0000000006A62000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000000.2184489626.0000000000EC1000.00000002.00000001.01000000.0000000A.sdmp, assignee.exe, 00000004.00000002.2311024840.0000000000EC1000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://nuitka.net/info/segfault.htmlfor
Source: assignee.exe, 00000004.00000000.2293523758.0000000000F0F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://pypi.org/project/segno/
Source: assignee.exe, 00000002.00000002.3367898833.0000000004370000.00000004.00001000.00020000.00000000.sdmp, assignee.exe, 00000004.00000002.2313737655.0000000004A10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://shapeshift.banxa.com?coinAmount=0.00196201&coinType=BTC&walletAddress=bc1qmz279qhl6dumwfqccd
Contains functionality for read data from the clipboard
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C879CE0 OpenClipboard,EmptyClipboard,TkWinGetPlatformId,SetClipboardData,SetClipboardData,CloseClipboard, 2_2_6C879CE0
Contains functionality to modify clipboard data
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C879CE0 OpenClipboard,EmptyClipboard,TkWinGetPlatformId,SetClipboardData,SetClipboardData,CloseClipboard, 2_2_6C879CE0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C879D50 TkWinClipboardRender,Tcl_Alloc,Tcl_DStringInit,Tcl_UtfToUniCharDString,Tcl_Free,GlobalAlloc,Tcl_DStringFree,GlobalLock,memcpy,GlobalUnlock,Tcl_DStringFree,SetClipboardData, 2_2_6C879D50
Contains functionality to read the clipboard data
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C87A040 TkSelGetSelection,Tk_InternAtom,OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,Tcl_DStringInit,Tcl_UniCharLen,Tcl_UniCharToUtfDString,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,Tcl_DStringInit,Tcl_DStringAppend,GlobalLock,GetLocaleInfoA,GlobalUnlock,Tcl_GetEncoding,Tcl_DStringFree,GetClipboardData,Tcl_FreeEncoding,CloseClipboard,GlobalLock,Tcl_ExternalToUtfDString,GlobalUnlock,Tcl_FreeEncoding,CloseClipboard,Tcl_DStringFree,CloseClipboard,Tk_GetAtomName,Tk_GetAtomName,Tcl_ObjPrintf,Tcl_SetObjResult,Tcl_SetErrorCode, 2_2_6C87A040
Potential key logger detected (key state polling based)
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C86D560 MapVirtualKeyW,MapVirtualKeyW,memset,ToAscii,ToAscii,VkKeyScanW,MapVirtualKeyW,memset,ToAscii,GetKeyState,GetKeyState,GetKeyState, 2_2_6C86D560
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C868390 TkWinGetModifierState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 2_2_6C868390
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE9B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00FE9B5C
Detected potential crypto function
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FF355D 0_2_00FF355D
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFB76F 0_2_00FFB76F
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FEBF3D 0_2_00FEBF3D
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFA008 0_2_00FFA008
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_0100C0D6 0_2_0100C0D6
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01014360 0_2_01014360
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFC27F 0_2_00FFC27F
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFA222 0_2_00FFA222
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FF5214 0_2_00FF5214
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_010092D0 0_2_010092D0
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FF46CF 0_2_00FF46CF
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_010186D2 0_2_010186D2
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE48AA 0_2_00FE48AA
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_0101480E 0_2_0101480E
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE5AFE 0_2_00FE5AFE
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFABC8 0_2_00FFABC8
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE7CBA 0_2_00FE7CBA
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFBC05 0_2_00FFBC05
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE3D9D 0_2_00FE3D9D
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FF4D32 0_2_00FF4D32
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_0100BEA7 0_2_0100BEA7
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE5F39 0_2_00FE5F39
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FF5F0B 0_2_00FF5F0B
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C87A660 2_2_6C87A660
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C80A100 2_2_6C80A100
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DB2C0 4_2_6C9DB2C0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92ECE0 4_2_6C92ECE0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C96CCE0 4_2_6C96CCE0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C930C20 4_2_6C930C20
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C933C60 4_2_6C933C60
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9B4D10 4_2_6C9B4D10
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9CFD30 4_2_6C9CFD30
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C91CED0 4_2_6C91CED0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92AEC0 4_2_6C92AEC0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C932EC0 4_2_6C932EC0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C920E10 4_2_6C920E10
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92FE19 4_2_6C92FE19
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C935E40 4_2_6C935E40
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92BE70 4_2_6C92BE70
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92CF30 4_2_6C92CF30
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9318D0 4_2_6C9318D0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9238E0 4_2_6C9238E0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C924830 4_2_6C924830
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92F860 4_2_6C92F860
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9D29A0 4_2_6C9D29A0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C936900 4_2_6C936900
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C930940 4_2_6C930940
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9B6970 4_2_6C9B6970
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C941A80 4_2_6C941A80
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C990AD0 4_2_6C990AD0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C8FAAD0 4_2_6C8FAAD0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C969A40 4_2_6C969A40
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C946B90 4_2_6C946B90
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C944BE0 4_2_6C944BE0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92CB70 4_2_6C92CB70
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C93D4C0 4_2_6C93D4C0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C935430 4_2_6C935430
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92D450 4_2_6C92D450
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9285A0 4_2_6C9285A0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9145C0 4_2_6C9145C0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C955510 4_2_6C955510
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C91F500 4_2_6C91F500
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9E6530 4_2_6C9E6530
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C915540 4_2_6C915540
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92E6B0 4_2_6C92E6B0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9A76D0 4_2_6C9A76D0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C922650 4_2_6C922650
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C91D660 4_2_6C91D660
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C93C7A0 4_2_6C93C7A0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C929700 4_2_6C929700
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92B700 4_2_6C92B700
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C921770 4_2_6C921770
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92E010 4_2_6C92E010
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9311B0 4_2_6C9311B0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92F2C0 4_2_6C92F2C0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DA220 4_2_6C9DA220
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C927270 4_2_6C927270
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9333D0 4_2_6C9333D0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C92C310 4_2_6C92C310
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C929360 4_2_6C929360
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\p2K.exe Code function: String function: 010057D8 appears 67 times
Source: C:\Users\user\Desktop\p2K.exe Code function: String function: 010057A5 appears 34 times
Source: C:\Users\user\Desktop\p2K.exe Code function: String function: 01006630 appears 31 times
Source: C:\ProgramData\assignee\assignee.exe Code function: String function: 6C9AF7A0 appears 183 times
Source: C:\ProgramData\assignee\assignee.exe Code function: String function: 6C9B45E0 appears 270 times
Source: C:\ProgramData\assignee\assignee.exe Code function: String function: 6C9B2180 appears 220 times
Source: C:\ProgramData\assignee\assignee.exe Code function: String function: 6C9A2370 appears 1251 times
Source: C:\ProgramData\assignee\assignee.exe Code function: String function: 6C9E9B80 appears 32 times
Sample file is different than original file name gathered from version info
Source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs p2K.exe
Source: p2K.exe, 00000000.00000003.2176583196.000000000795E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenametk86t.dllP vs p2K.exe
Source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepython34.dll. vs p2K.exe
Source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepywintypes34.dllD vs p2K.exe
Source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenametcl86t.dllP vs p2K.exe
Source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewin32api.pydD vs p2K.exe
Uses 32bit PE files
Source: p2K.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus35.winEXE@4/932@0/0
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FE932C GetLastError,FormatMessageW,_wcslen,LocalFree, 0_2_00FE932C
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFE91A CoCreateInstance, 0_2_00FFE91A
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FFEBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00FFEBD3
Source: C:\Users\user\Desktop\p2K.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assignee.lnk Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Command line argument: sfxname 0_2_0100454A
Source: C:\Users\user\Desktop\p2K.exe Command line argument: sfxstime 0_2_0100454A
Source: C:\Users\user\Desktop\p2K.exe Command line argument: STARTDLG 0_2_0100454A
Source: p2K.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\p2K.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: assignee.exe String found in binary or memory: can't send non-None value to a just-started generator
Source: assignee.exe String found in binary or memory: -startline must be less than or equal to -endline
Source: assignee.exe String found in binary or memory: utracing-stop
Source: assignee.exe String found in binary or memory: can't send non-None value to a just-started generator
Source: assignee.exe String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: assignee.exe String found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: assignee.exe String found in binary or memory: angle-addr-startr'
Source: assignee.exe String found in binary or memory: angle-addr-startr'
Source: assignee.exe String found in binary or memory: Usage: %s [OPTIONS] <file> [ARGS] Meta-options: --help Display this help then exit. --version Output version information then exit. Otherwise, exactly one of the following three options must be given: -t, --trace Print ea
Source: assignee.exe String found in binary or memory: Usage: %s [OPTIONS] <file> [ARGS] Meta-options: --help Display this help then exit. --version Output version information then exit. Otherwise, exactly one of the following three options must be given: -t, --trace Print ea
Source: C:\Users\user\Desktop\p2K.exe File read: C:\Users\user\Desktop\p2K.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\p2K.exe "C:\Users\user\Desktop\p2K.exe" -pF5Vt8d1X0LWj
Source: C:\Users\user\Desktop\p2K.exe Process created: C:\ProgramData\assignee\assignee.exe "C:\ProgramData\assignee\assignee.exe" "2YgTMci4EewqpK"
Source: unknown Process created: C:\ProgramData\assignee\assignee.exe "C:\ProgramData\assignee\assignee.exe"
Source: C:\Users\user\Desktop\p2K.exe Process created: C:\ProgramData\assignee\assignee.exe "C:\ProgramData\assignee\assignee.exe" "2YgTMci4EewqpK" Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: python34.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: pywintypes34.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: secur32.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: tcl86t.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: tk86t.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: samcli.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: python34.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: pywintypes34.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: secur32.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: tcl86t.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: tk86t.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: samcli.dll Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: assignee.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\assignee\assignee.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: p2K.exe Static file information: File size 6985546 > 1048576
Source: C:\Users\user\Desktop\p2K.exe File opened: C:\ProgramData\assignee\msvcr100.dll Jump to behavior
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: p2K.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: p2K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: p2K.exe, 00000000.00000000.2111554546.000000000101C000.00000002.00000001.01000000.00000003.sdmp, p2K.exe, 00000000.00000002.2194961597.000000000101C000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\win32api.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369844568.000000006CA7E000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: msvcr100.i386.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3370644200.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, assignee.exe, 00000004.00000002.2317109606.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: ,C:\Users\martin\34\python\PCbuild\_socket.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3373393865.0000000074A97000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\python34.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3370875187.000000006CCFE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\win32api.pdb. source: p2K.exe, 00000000.00000003.2176583196.0000000007FF6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369844568.000000006CA7E000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\pywintypes.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369736236.000000006CA5C000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: O:\src\pywin32\build\temp.win32-3.4\Release\pywintypes.pdb( source: p2K.exe, 00000000.00000003.2176583196.00000000077DE000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369736236.000000006CA5C000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_tkinter.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369628655.000000006CA37000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: &C:\Users\martin\34\python\PCbuild\_ssl.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3371772116.000000006D440000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_ssl.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3371772116.000000006D440000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: p[,C:\Users\martin\34\python\PCbuild\unicodedata.pdb)6 source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_socket.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3373393865.0000000074A97000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\unicodedata.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 9'C:\Users\martin\34\python\PCbuild\_tkinter.pdbif source: p2K.exe, 00000000.00000003.2176583196.0000000007F09000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3369628655.000000006CA37000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: -C:\Users\martin\34\python\PCbuild\python34.pdb source: p2K.exe, 00000000.00000003.2176583196.00000000074C0000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3370875187.000000006CCFE000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\martin\34\python\PCbuild\_ctypes.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3372735764.000000006D51F000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ,C:\Users\martin\34\python\PCbuild\_ctypes.pdb source: p2K.exe, 00000000.00000003.2176583196.0000000007AC6000.00000004.00000020.00020000.00000000.sdmp, assignee.exe, 00000002.00000002.3372735764.000000006D51F000.00000002.00000001.01000000.0000000D.sdmp
Source: p2K.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: p2K.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: p2K.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: p2K.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: p2K.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7A6150 Tk_GetHINSTANCE,GetModuleFileNameW,LoadLibraryW,GetProcAddress, 2_2_6C7A6150
File is packed with WinRar
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\__tmp_rar_sfx_access_check_6045343 Jump to behavior
PE file contains sections with non-standard names
Source: p2K.exe Static PE information: section name: .didat
Source: assignee.exe.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01005773 push ecx; ret 0_2_01005786
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01006680 push ecx; ret 0_2_01006693
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7818C5 push ecx; ret 2_2_6C7818D8
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C938B81 push ebx; iretd 4_2_6C938B8A
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9EB395 push ecx; ret 4_2_6C9EB3A8
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6CA36655 push ecx; ret 4_2_6CA36668
Source: msvcr100.dll.0.dr Static PE information: section name: .text entropy: 6.909044922675825
Drops PE files
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\pywintypes34.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\python34.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_tkinter.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\msvcr100.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\tk86t.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\assignee.exe Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\win32api.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\tcl86t.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\pywintypes34.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\python34.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_tkinter.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\msvcr100.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\tk86t.dll Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\assignee.exe Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\win32api.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\Cryptodome\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe File created: C:\ProgramData\assignee\tcl86t.dll Jump to dropped file
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DF660 TclpGetUserHome,strchr,Tcl_UtfToUniCharDString,NetGetDCName,TclpFree,Tcl_UtfToUniCharDString,NetUserGetInfo,lstrlenW,Tcl_UniCharToUtfDString,NetApiBufferFree,GetWindowsDirectoryW,Tcl_UniCharToUtfDString,Tcl_DStringAppend,NetApiBufferFree,TclpFree,NetApiBufferFree,GetPrivateProfileStringA,GetWindowsDirectoryA,Tcl_DStringAppend, 4_2_6C9DF660
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\p2K.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assignee.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\p2K.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assignee.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C85AD70 IsIconic,IsZoomed,AdjustWindowRectEx,SendMessageW,SendMessageW,GetSystemMetrics,MoveWindow,GetWindowRect,GetClientRect,MoveWindow,DrawMenuBar, 2_2_6C85AD70
Source: C:\Users\user\Desktop\p2K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\ProgramData\assignee\assignee.exe File opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\_tkinter.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\win32api.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\p2K.exe Dropped PE file which has not been started: C:\ProgramData\assignee\Cryptodome\Cipher\_Salsa20.pyd Jump to dropped file
Found large amount of non-executed APIs
Source: C:\ProgramData\assignee\assignee.exe API coverage: 2.5 %
Source: C:\ProgramData\assignee\assignee.exe API coverage: 1.6 %
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FEF826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00FEF826
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01001630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_01001630
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01011FF8 FindFirstFileExA, 0_2_01011FF8
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DFE00 CreateFileW,GetFileInformationByHandle,CloseHandle,_errno,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetFileAttributesExW,GetLastError,GetLastError,FindFirstFileW,GetLastError,TclWinConvertError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 4_2_6C9DFE00
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DEF60 Tcl_FSGetNormalizedPath,Tcl_FSGetInternalRep,GetFileAttributesW,Tcl_GetStringFromObj,Tcl_DStringAppend,Tcl_DStringAppend,strpbrk,Tcl_DStringAppend,Tcl_WinUtfToTChar,FindFirstFileExW,FindFirstFileW,GetLastError,Tcl_DStringFree,TclWinConvertError,Tcl_PosixError,Tcl_ObjPrintf,Tcl_SetObjResult,Tcl_DStringFree,Tcl_DStringFree,Tcl_DStringSetLength,Tcl_ExternalToUtfDString,Tcl_StringCaseMatch,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_ListObjAppendElement,Tcl_DStringFree,FindNextFileW,FindClose,Tcl_DStringFree,Tcl_FSGetNormalizedPath,Tcl_GetString,Tcl_FSGetInternalRep,GetFileAttributesExW,Tcl_ListObjAppendElement, 4_2_6C9DEF60
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9E0590 Tcl_GetString,Tcl_UtfToExternalDString,GetFileAttributesExW,Tcl_AppendLimitedToObj,Tcl_GetString,Tcl_GetString,TclFreeObj,TclpFree,TclpFree,FindFirstFileW,FindClose,Tcl_DStringAppend,Tcl_DStringAppend,TclpFree,Tcl_DStringAppend,TclpFree,Tcl_ExternalToUtfDString,Tcl_NewStringObj,Tcl_AppendLimitedToObj,Tcl_GetString,Tcl_SetStringObj,TclFreeObj,Tcl_SetStringObj,TclpFree,TclpFree,TclFreeObj, 4_2_6C9E0590
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DDD00 Tcl_FSSplitPath,Tcl_ListObjIndex,Tcl_GetString,Tcl_FSJoinPath,Tcl_GetString,Tcl_UtfToExternalDString,TclFreeObj,FindFirstFileW,GetFileAttributesW,Tcl_DStringFree,Tcl_FSJoinPath,TclFreeObj,Tcl_ExternalToUtfDString,Tcl_DStringFree,TclpAlloc,Tcl_Panic,Tcl_AppendToObj,Tcl_DStringFree,Tcl_ListObjReplace,FindClose,Tcl_DStringFree,TclFreeObj,Tcl_GetString,Tcl_ObjPrintf,Tcl_SetObjResult,_errno,_errno,_errno,Tcl_ErrnoMsg,Tcl_ErrnoId,Tcl_SetErrorCode, 4_2_6C9DDD00
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9DD710 GetFileAttributesW,Tcl_DStringAppend,Tcl_DStringSetLength,FindFirstFileW,GetLastError,TclWinConvertError,GetLastError,_errno,Tcl_DStringSetLength,Tcl_DStringSetLength,FindClose,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringAppend,Tcl_DStringSetLength,Tcl_DStringSetLength,Tcl_DStringSetLength,FindNextFileW,FindClose,Tcl_DStringSetLength,Tcl_DStringSetLength,Tcl_DStringSetLength,Tcl_DStringSetLength,_errno,Tcl_ExternalToUtfDString, 4_2_6C9DD710
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01004E14 VirtualQuery,GetSystemInfo, 0_2_01004E14
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: p2K.exe, 00000000.00000003.2185482147.0000000000760000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: assignee.exe, 00000002.00000002.3366212400.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\p2K.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01006878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01006878
Contains functionality to dynamically determine API calls
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7A6150 Tk_GetHINSTANCE,GetModuleFileNameW,LoadLibraryW,GetProcAddress, 2_2_6C7A6150
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_0100ECAA mov eax, dword ptr fs:[00000030h] 0_2_0100ECAA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01012CE0 GetProcessHeap, 0_2_01012CE0
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01006878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01006878
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01005BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_01005BBF
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01006A0B SetUnhandledExceptionFilter, 0_2_01006A0B
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_0100AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0100AAC4
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C781155 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 2_2_6C781155
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9EABC1 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 4_2_6C9EABC1
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6CA35EA0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 4_2_6CA35EA0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\p2K.exe Process created: C:\ProgramData\assignee\assignee.exe "C:\ProgramData\assignee\assignee.exe" "2YgTMci4EewqpK" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_01006694 cpuid 0_2_01006694
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\p2K.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00FFFD34
Source: C:\ProgramData\assignee\assignee.exe Code function: TkWinXInit,InitCommonControlsEx,Tcl_Panic,RegisterClassW,Tcl_Panic,GetKeyboardLayout,GetLocaleInfoW,TranslateCharsetInfo,TkWinXCleanup, 2_2_6C85A4D0
Source: C:\ProgramData\assignee\assignee.exe Code function: TkSelGetSelection,Tk_InternAtom,OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,Tcl_DStringInit,Tcl_UniCharLen,Tcl_UniCharToUtfDString,GlobalUnlock,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,Tcl_DStringInit,Tcl_DStringAppend,GlobalLock,GetLocaleInfoA,GlobalUnlock,Tcl_GetEncoding,Tcl_DStringFree,GetClipboardData,Tcl_FreeEncoding,CloseClipboard,GlobalLock,Tcl_ExternalToUtfDString,GlobalUnlock,Tcl_FreeEncoding,CloseClipboard,Tcl_DStringFree,CloseClipboard,Tk_GetAtomName,Tk_GetAtomName,Tcl_ObjPrintf,Tcl_SetObjResult,Tcl_SetErrorCode, 2_2_6C87A040
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\p2K.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\assignee.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\encoding VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Program Files (x86)\Internet Explorer\iexplore.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\init.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\auto.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\tk.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\tm.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\package.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\pkgIndex.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\opt0.4\pkgIndex.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\icons.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\button.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\entry.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\listbox.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\menu.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\panedwindow.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\scrlbar.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\spinbox.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\utils.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\button.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\menubutton.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\scrollbar.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\scale.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\progress.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\notebook.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\panedwindow.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\entry.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\combobox.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\spinbox.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\treeview.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\classicTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\altTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\clamTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\winTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\xpTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\vistaTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\ VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\bcd VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\boot.sdi VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\bootfix.bin VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\bootsect.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\memtest.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\en-gb VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\fonts VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\fonts\chs_boot.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\fonts\jpn_boot.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\fonts\malgun_boot.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\boot\fonts\segoe_slboot.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\efi\boot VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\efi\boot\bootx64.efi VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\efi\microsoft VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\efi\microsoft\boot VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\efi\microsoft\boot\fonts VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\efi\microsoft\boot\resources VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\appcompat_detailed_bidi_txt.xsl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\appcompat_detailed_txt.xsl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\setupplatform.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\setupprep.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sflcid.dat VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sflistrs1.dat VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sflistw8.woa.dat VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sflistwb.dat VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sflistwb.woa.dat VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sfpatw7.inf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sfpatw8.inf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sfpatwb.inf VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\wicadevicefilters.xml VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\accessibilitycpl-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\cryptoconfig-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\eventlog-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\explorer-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-wab-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\netfx-wcf-tcpportsharing-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\netfx4-wcf-client-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\netfx4clientcorecomp-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\rights-management-client-v1-api-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\rights-management-services-server-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\terminalservices-sessiondirectory-client-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\wcf-http-activation-postapply-dl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-activedirectory-webservices-dl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkloadbalancing-core VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasconnectionmanager VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\en-gb VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\en-gb\wimprovider.dll.mui VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\activedirectory-webservices-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\cloudapreplacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\directoryservices-administrativecenter-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\internet-naming-tools-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\ipv4ipv6coexistencemigration-net-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\kernel-pnp-repl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\kernel32-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\kernel32-server-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\mfmpeg2srcsnk-migration-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-powershell-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-ca-serverupgrade-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-ocsp-serverupgrade-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-onecore-tiledatarepository-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-failovercluster-adminpak-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\printing-spooler-core-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\sounds-migration-replacement.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\srm-quotadriver-repl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\windows.cortana.desktop-repl.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\hwvid-migration-2 VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-webservices VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-client-license-platform-service-migration VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\en-gb VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasapi-mig VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\en-gb VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\sppmig VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\replacementmanifests\wpc VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\sxs VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\uup VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\sources\uup\metadata VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: \Device\CdRom0\support\logging\microsoft-windows-actionqueue-instrumentation.man VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000 VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Application Data VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1 VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\CloudStore VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Temporary Internet Files VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Temporary Internet Files VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\CloudStore VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\GameExplorer VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\History VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Local\Temporary Internet Files VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\assignee.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\encoding VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\Program Files (x86)\Internet Explorer\iexplore.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\init.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\auto.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\tk.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\tm.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\package.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\pkgIndex.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\http1.0\pkgIndex.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tcl\opt0.4\pkgIndex.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\icons.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\button.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\entry.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\panedwindow.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\scale.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\spinbox.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\text.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\ttk.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\fonts.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\cursors.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\scrollbar.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\scale.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\progress.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\notebook.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\entry.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\combobox.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\treeview.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\sizegrip.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\classicTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\altTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\clamTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData\assignee\tk\ttk\winTheme.tcl VolumeInformation Jump to behavior
Source: C:\ProgramData\assignee\assignee.exe Queries volume information: C:\ProgramData VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_0100454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_0100454A
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9E16D0 Tcl_NewStringObj,Tcl_ObjSetVar2,TclFreeObj,GetVersionExA,GetSystemInfo,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString,wsprintfA,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString,Tcl_GetVar2,Tcl_GetVar2,Tcl_DStringAppend,Tcl_GetVar2,Tcl_DStringAppend,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString,TclGetEnv,GetUserNameW,Tcl_ExternalToUtfDString,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString,TclpFree,Tcl_NewStringObj,Tcl_SetVar2Ex,Tcl_GetString, 4_2_6C9E16D0
Source: C:\Users\user\Desktop\p2K.exe Code function: 0_2_00FF03BE GetVersionExW, 0_2_00FF03BE
Source: C:\ProgramData\assignee\assignee.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7A8980 TkCreateMainWindow,Tcl_GetThreadData,Tcl_Panic,Tcl_Alloc,Tcl_InitHashTable,TkBindInit,TkFontPkgInit,TkStylePkgInit,Tcl_InitHashTable,Tcl_LinkVar,Tcl_ResetResult,Tcl_CreateNamespace,Tcl_ResetResult,Tcl_LinkVar,Tcl_ResetResult,Tcl_InitHashTable,Tk_SetAppName,Tk_GetUid,Tcl_IsSafe,Tcl_Panic,Tcl_CreateCommand,Tcl_CreateObjCommand,Tcl_HideCommand,Tcl_SetVar2,Tcl_SetVar2, 2_2_6C7A8980
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C852CC0 Tk_GetAllBindings,Tcl_NewObj,Tcl_ListObjAppendElement,Tcl_SetObjResult, 2_2_6C852CC0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7B1C80 TkTextMakeByteIndex,TkBTreeNumLines,TkTextMakeByteIndex,Tk_DeleteAllBindings, 2_2_6C7B1C80
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C852DB0 Tk_DeleteBinding,Tcl_ResetResult,Tcl_Panic,Tcl_Panic,Tcl_DeleteHashEntry,Tcl_Panic,Tcl_Free,Tcl_Free, 2_2_6C852DB0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C787D40 Tk_DeleteEventHandler,Tk_DeleteBindingTable,Tcl_Free,Tcl_DeleteHashTable, 2_2_6C787D40
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C82EDE0 Tcl_Alloc,Tk_BindEvent,Tcl_Free, 2_2_6C82EDE0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C831D00 Tcl_WrongNumArgs,Tcl_GetIndexFromObjStruct,Tcl_Preserve,Tcl_WrongNumArgs,Tcl_WrongNumArgs,Tcl_NewLongObj,Tcl_NewLongObj,Tcl_NewLongObj,Tcl_NewLongObj,Tcl_NewListObj,Tcl_SetObjResult,Tcl_WrongNumArgs,Tcl_GetString,Tcl_ObjPrintf,Tcl_SetObjResult,Tcl_GetString,Tcl_SetErrorCode,Tk_CreateBindingTable,Tcl_GetString,Tcl_GetString,Tk_DeleteBinding,Tcl_GetString,Tk_CreateBinding,Tcl_GetString,Tk_DeleteBinding,Tcl_NewStringObj,Tcl_SetObjResult,Tcl_SetErrorCode,Tcl_GetString,Tk_GetBinding,Tcl_GetObjResult,Tcl_GetString,Tcl_ResetResult,Tcl_NewStringObj,Tcl_SetObjResult,Tk_GetAllBindings,Tcl_Release, 2_2_6C831D00
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C852D60 Tk_GetBinding, 2_2_6C852D60
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C853E40 Tk_BindEvent,TkpGetKeySym,Tcl_DStringInit,Tcl_DStringAppend,Tcl_SaveInterpState,Tcl_Preserve,Tcl_AllowExceptions,Tcl_EvalEx,Tcl_AddErrorInfo,Tcl_BackgroundException,Tcl_RestoreInterpState,Tcl_DStringFree,Tcl_Release, 2_2_6C853E40
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C828E50 Tcl_WrongNumArgs,Tcl_GetString,Tk_NameToWindow,Tcl_NewObj,Tcl_NewStringObj,Tcl_ListObjAppendElement,Tcl_NewStringObj,Tcl_ListObjAppendElement,Tcl_NewStringObj,Tcl_ListObjAppendElement,Tcl_NewStringObj,Tcl_ListObjAppendElement,Tcl_NewStringObj,Tcl_ListObjAppendElement,Tcl_SetObjResult,TkFreeBindingTags,Tcl_ListObjGetElements,Tcl_Alloc,Tcl_GetString,Tcl_Alloc,Tk_GetUid, 2_2_6C828E50
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C852F50 Tk_CreateBinding,Tcl_Alloc,memcpy,memcpy,Tcl_Alloc,memcpy,Tcl_Free, 2_2_6C852F50
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C8288A0 TkFreeBindingTags,Tcl_Free,Tcl_Free, 2_2_6C8288A0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7A7930 Tk_DestroyWindow,Tcl_GetThreadData,Tcl_Alloc,TkFocusDeadWindow,Tk_DestroyWindow,TkpGetOtherWindow,Tk_DestroyWindow,Tk_MakeWindowExist,Tk_HandleEvent,Tcl_Free,Tcl_Panic,TkWmDeadWindow,TkWmRemoveFromColormapWindows,XDestroyWindow,Tcl_DeleteHashEntry,TkEventDeadWindow,TkFreeBindingTags,TkOptionDeadWindow,TkSelDeadWindow,TkGrabDeadWindow,Tcl_Free,Tk_DeleteAllBindings,Tcl_DeleteHashEntry,Tcl_InterpDeleted,Tcl_CreateCommand,Tcl_CreateCommand,Tcl_UnlinkVar,Tcl_UnlinkVar,Tcl_DeleteHashTable,Tcl_DeleteHashTable,TkBindFree,TkDeleteAllImages,TkFontPkgFree,TkFocusFree,TkStylePkgFree,XSync,Tcl_Free,Tcl_EventuallyFree, 2_2_6C7A7930
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C829930 TkBindEventProc,Tcl_Alloc,Tk_GetUid,Tk_BindEvent,Tcl_Free, 2_2_6C829930
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C81C960 Tk_HandleEvent,Tcl_GetThreadData,Tcl_Preserve,TkSelEventProc,Tk_InternAtom,TkWmProtocolEventProc,TkBindEventProc,Tcl_Release, 2_2_6C81C960
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7B1A50 Tcl_Alloc,Tk_BindEvent,Tcl_Free, 2_2_6C7B1A50
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C869AE0 TkpInitializeMenuBindings,Tk_GetUid,Tk_MainWindow,Tcl_CreateObjCommand,Tk_CreateBinding,Tk_CreateBinding,Tk_CreateBinding,Tk_CreateBinding,Tk_CreateBinding,Tk_CreateBinding,Tk_CreateBinding,Tk_CreateBinding, 2_2_6C869AE0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C786AB0 Tk_CreateOptionTable,Tk_CreateOptionTable,Tk_CreateOptionTable,Tk_CreateOptionTable,Tk_CreateBindingTable,Tk_CreateEventHandler,Tcl_InitHashTable,Tk_InitOptions,Tk_InitOptions,Tcl_InitHashTable,Tk_InitOptions, 2_2_6C786AB0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C8514A0 Tk_CreateBindingTable,Tcl_Alloc,Tcl_InitHashTable,Tcl_InitHashTable, 2_2_6C8514A0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7B2490 Tcl_WrongNumArgs,Tcl_GetIndexFromObjStruct,Tcl_WrongNumArgs,Tcl_GetString,Tk_OwnSelection,Tcl_WrongNumArgs,Tcl_GetString,Tk_CreateBindingTable,Tcl_GetString,Tcl_GetString,Tk_DeleteBinding,Tcl_GetString,Tk_CreateBinding,Tcl_GetString,Tk_DeleteBinding,Tcl_NewStringObj,Tcl_SetObjResult,Tcl_SetErrorCode,Tcl_GetString,Tk_GetBinding,Tcl_GetObjResult,Tcl_GetString,Tcl_ResetResult,Tcl_NewStringObj,Tcl_SetObjResult,Tk_GetAllBindings, 2_2_6C7B2490
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7855E0 Tcl_Preserve,Tk_BindEvent,Tcl_Release, 2_2_6C7855E0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C851540 TkBindFree,Tk_DeleteBindingTable,Tcl_EventuallyFree, 2_2_6C851540
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C830680 Tcl_Free,Tcl_Free,Tcl_DeleteHashTable,Tk_FreeGC,Tcl_DeleteTimerHandler,Tk_DeleteBindingTable,Tk_FreeOptions,Tcl_Free, 2_2_6C830680
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C8546C0 TkBindInit,Tcl_Panic,Tcl_MutexLock,Tcl_InitHashTable,Tcl_InitHashTable,Tcl_InitHashTable,Tcl_InitHashTable,Tcl_MutexUnlock,Tk_CreateBindingTable,Tcl_Alloc,TkpInitializeMenuBindings, 2_2_6C8546C0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C829700 Tcl_WrongNumArgs,Tcl_GetString,Tk_NameToWindow,Tk_GetUid,Tcl_GetString,Tcl_GetString,Tk_DeleteBinding,Tk_CreateBinding,Tcl_GetString,Tk_GetBinding,Tcl_ResetResult,Tcl_NewStringObj,Tcl_SetObjResult,Tk_GetAllBindings, 2_2_6C829700
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C785000 Tcl_WrongNumArgs,Tk_GetAllBindings,Tcl_GetString,Tk_GetBinding,Tcl_NewStringObj,Tcl_SetObjResult,Tcl_GetString,Tcl_GetString,Tk_DeleteBinding,Tk_CreateBinding,Tk_DeleteBinding,Tcl_ObjPrintf,Tcl_SetObjResult,Tcl_SetErrorCode, 2_2_6C785000
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C7CD0F0 Tcl_Free,Tcl_Free,Tcl_FirstHashEntry,Tcl_NextHashEntry,Tcl_FirstHashEntry,Tcl_NextHashEntry,Tcl_DeleteHashTable,Tcl_FirstHashEntry,Tcl_NextHashEntry,Tcl_Free,Tcl_DeleteHashTable,Tcl_DeleteHashTable,Tcl_DeleteHashTable,Tk_DeleteBindingTable,Tcl_Free,Tcl_Free,Tcl_DeleteTimerHandler,Tcl_DeleteCommandFromToken,Tcl_Free, 2_2_6C7CD0F0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C8512A0 Tk_DeleteAllBindings,Tcl_DeleteHashEntry,Tcl_Panic,Tcl_Free,Tcl_Free,Tcl_DeleteHashEntry, 2_2_6C8512A0
Source: C:\ProgramData\assignee\assignee.exe Code function: 2_2_6C8513C0 Tk_DeleteBindingTable,Tcl_FirstHashEntry,Tcl_NextHashEntry,Tcl_Free,Tcl_Free,Tcl_DeleteHashTable,Tcl_DeleteHashTable,Tcl_Free, 2_2_6C8513C0
Source: C:\ProgramData\assignee\assignee.exe Code function: 4_2_6C9E7F20 TlsGetValue,Tcl_MutexLock,LeaveCriticalSection,socket,WSAGetLastError,TclWinConvertError,SetHandleInformation,TclSockMinimumBuffers,htons,bind,WSAGetLastError,TclWinConvertError,closesocket,getsockname,htons,listen,socket,WSAGetLastError,_errno,_errno,_errno,SetHandleInformation,TclSockMinimumBuffers,bind,WSAGetLastError,TclWinConvertError,ioctlsocket,WSAGetLastError,TclWinConvertError,connect,WSAGetLastError,TclWinConvertError,_errno,closesocket,freeaddrinfo,freeaddrinfo,ioctlsocket,SendMessageW,Tcl_PosixError,Tcl_ObjPrintf,Tcl_SetObjResult,closesocket, 4_2_6C9E7F20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521694 Sample: p2K.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 35 21 AI detected suspicious sample 2->21 6 p2K.exe 1003 2->6         started        9 assignee.exe 1 2->9         started        process3 file4 13 C:\ProgramData\assignee\win32api.pyd, PE32 6->13 dropped 15 C:\ProgramData\assignee\unicodedata.pyd, PE32 6->15 dropped 17 C:\ProgramData\assignee\tk86t.dll, PE32 6->17 dropped 19 29 other files (none is malicious) 6->19 dropped 11 assignee.exe 3 6->11         started        process5
No contacted IP infos