Windows Analysis Report
origin.bin.exe

Overview

General Information

Sample name: origin.bin.exe
Analysis ID: 1523487
MD5: 0b8bb8ed90799aa967281f96d1b3a75d
SHA1: f083724cffd51f9bd9afe08419598c9672cf8caf
SHA256: 5016ba92afac1c2b2a2a6b17a09406869bd6f58cfe680f25030af1a1ba1c29a2
Tags: NETexeuser-jstrosch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: origin.bin.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: origin.bin.exe ReversingLabs: Detection: 87%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: origin.bin.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: origin.bin.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 65.181.111.142:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: origin.bin.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb7 source: origin.bin.exe, 00000000.00000002.1897676521.000000000748C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: Accessibility.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER83F6.tmp.dmp.4.dr
Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb source: origin.bin.exe, 00000000.00000002.1897676521.0000000007437000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdbc, source: origin.bin.exe, 00000000.00000002.1897676521.0000000007437000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: C:\Users\user\Desktop\origin.bin.PDB source: origin.bin.exe, 00000000.00000002.1894921466.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1897676521.0000000007437000.00000004.00000020.00020000.00000000.sdmp, WER83F6.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdb4 source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Core.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1894967409.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbSystem.Windows.Forms.dllSystem.Windows.Forms.dll source: WER83F6.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1897676521.000000000748C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nHC:\Windows\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1894921466.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER83F6.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1895116327.0000000001034000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER83F6.tmp.dmp.4.dr
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 65.181.111.142:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 65.181.111.142:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 65.181.111.142:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 65.181.111.142:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 65.181.111.142:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bdConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic HTTP traffic detected: GET /sav/Ztvfo.png HTTP/1.1Host: savory.com.bd
Source: global traffic DNS traffic detected: DNS query: savory.com.bd
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://savory.com.bd/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Tue, 01 Oct 2024 15:02:58 GMTserver: LiteSpeedvary: User-Agent
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ogp.me/ns#
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ogp.me/ns/fb#
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://savory.com.bd
Source: origin.bin.exe String found in binary or memory: http://savory.com.bd/sav/Ztvfo.png
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://savory.com.bd/sav/Ztvfo.pngd
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://savory.com.bd/wp-content/uploads/2022/04/Loginiage5.jpg);
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://savory.com.bd8
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://savory.com.bdd
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: origin.bin.exe, 00000000.00000002.1897676521.000000000748C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: origin.bin.exe, 00000000.00000002.1897198662.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.w.org/
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A100%2C100i%2C300%2C300i%2C400%2C400i%2C500%2C500i%2
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://layerslider.kreaturamedia.com
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/#website
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/?s=
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/comments/feed/
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/feed/
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/sav/Ztvfo.png
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/LayerSlider/assets/static/layerslider/css/layerslider.css?v
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.9.8
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/easy-login-woocommerce/assets/css/xoo-el-fonts.css?ver=2.7.
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/easy-login-woocommerce/assets/css/xoo-el-style.css?ver=2.7.
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/easy-login-woocommerce/xoo-form-fields-fw/assets/css/xoo-af
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/easy-login-woocommerce/xoo-form-fields-fw/assets/js/xoo-aff
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/easy-login-woocommerce/xoo-form-fields-fw/lib/fontawesome5/
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.24.4
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/css/vi
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/jetwoo-widgets-for-elementor/assets/css/jet-woo-widgets.css
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/simple-job-board/includes/css/font-awesome.min.css?ver=5.15
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/simple-job-board/public/css/jquery-ui.css?ver=1.12.1
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/simple-job-board/public/css/simple-job-board-public.css?ver
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/simple-job-board/sjb-block/dist/blocks.style.build.css
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/thegem-elements-elementor/inc/gdpr/assets/css/public.css?ve
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.eot
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.eot?#iefix
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.svg#WooCommerce
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.ttf
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.woff
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=9.3.3
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.3.3
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/plugins/zilla-likes/scripts/zilla-likes.js?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/custom-3qA74UHG.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-grid.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-header.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-new-css.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-perevazka-css.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-preloader.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-reset.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-widgets.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/css/thegem-woocommerce-minicart.css?ver=6.6
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/js/fancyBox/jquery.fancybox.min.css?ver=6.6
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/js/html5.js?ver=3.7.3
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/style.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-content/themes/thegem-elementor/wishlist.css?ver=3.38.0
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/block-editor/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/components/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/editor/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/patterns/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/preferences/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/css/dist/reusable-blocks/style.min.css?ver=6.6.2
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/wp-json/
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/xmlrpc.php
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savory.com.bd/xmlrpc.php?rsd
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://schema.org
Source: origin.bin.exe, 00000000.00000002.1896466536.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, origin.bin.exe, 00000000.00000002.1895943987.0000000002F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 65.181.111.142:443 -> 192.168.2.4:49733 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\origin.bin.exe Code function: 0_2_0145D344 0_2_0145D344
Source: C:\Users\user\Desktop\origin.bin.exe Code function: 0_2_02EC0040 0_2_02EC0040
Source: C:\Users\user\Desktop\origin.bin.exe Code function: 0_2_02EC001C 0_2_02EC001C
One or more processes crash
Source: C:\Users\user\Desktop\origin.bin.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7308 -s 2340
Sample file is different than original file name gathered from version info
Source: origin.bin.exe, 00000000.00000002.1894921466.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs origin.bin.exe
Source: origin.bin.exe, 00000000.00000002.1894967409.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs origin.bin.exe
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameriched20.dllp( vs origin.bin.exe
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs origin.bin.exe
Source: origin.bin.exe, 00000000.00000002.1895943987.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs origin.bin.exe
Source: origin.bin.exe, 00000000.00000000.1660796872.0000000000A82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMvqdwnrv.exe" vs origin.bin.exe
Source: origin.bin.exe Binary or memory string: OriginalFilenameMvqdwnrv.exe" vs origin.bin.exe
Uses 32bit PE files
Source: origin.bin.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal68.evad.winEXE@2/5@1/1
Source: C:\Users\user\Desktop\origin.bin.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7308
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9c8169e3-415b-47e6-8ced-9c5bfae89042 Jump to behavior
Source: origin.bin.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: origin.bin.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\origin.bin.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: origin.bin.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\origin.bin.exe File read: C:\Users\user\Desktop\origin.bin.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\origin.bin.exe "C:\Users\user\Desktop\origin.bin.exe"
Source: C:\Users\user\Desktop\origin.bin.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7308 -s 2340
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: origin.bin.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: origin.bin.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: origin.bin.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb7 source: origin.bin.exe, 00000000.00000002.1897676521.000000000748C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: Accessibility.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER83F6.tmp.dmp.4.dr
Source: Binary string: C:\Windows\System.Windows.Forms.pdbpdbrms.pdb source: origin.bin.exe, 00000000.00000002.1897676521.0000000007437000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdbc, source: origin.bin.exe, 00000000.00000002.1897676521.0000000007437000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: C:\Users\user\Desktop\origin.bin.PDB source: origin.bin.exe, 00000000.00000002.1894921466.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1897676521.0000000007437000.00000004.00000020.00020000.00000000.sdmp, WER83F6.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdb4 source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Core.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1894967409.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbSystem.Windows.Forms.dllSystem.Windows.Forms.dll source: WER83F6.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1897676521.000000000748C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nHC:\Windows\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1894921466.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER83F6.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: origin.bin.exe, 00000000.00000002.1895116327.0000000001034000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER83F6.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER83F6.tmp.dmp.4.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: origin.bin.exe, Form1.cs .Net Code: Void System.AppDomain.Load(byte[])
Binary contains a suspicious time stamp
Source: origin.bin.exe Static PE information: 0xCA0922E7 [Sun May 30 10:33:11 2077 UTC]
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\origin.bin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\origin.bin.exe Memory allocated: 1410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599795 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598500 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598391 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598268 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597804 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597358 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597248 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597130 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596219 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595888 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595438 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595094 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\origin.bin.exe Window / User API: threadDelayed 2011 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Window / User API: threadDelayed 7844 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599795s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598268s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597804s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597358s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597248s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597130s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -597015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595888s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe TID: 7484 Thread sleep time: -595094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599795 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598500 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598391 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598268 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597804 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597358 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597248 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597130 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596219 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595888 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595438 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Thread delayed: delay time: 595094 Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: origin.bin.exe, 00000000.00000002.1895116327.0000000001034000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\origin.bin.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\origin.bin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Users\user\Desktop\origin.bin.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\origin.bin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523487 Sample: origin.bin.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 68 15 savory.com.bd 2->15 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 .NET source code contains potential unpacker 2->23 25 2 other signatures 2->25 7 origin.bin.exe 15 2 2->7         started        signatures3 process4 dnsIp5 17 savory.com.bd 65.181.111.142, 443, 49732, 49733 FORTRESSITXUS United States 7->17 10 WerFault.exe 21 16 7->10         started        process6 file7 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->13 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
65.181.111.142
 savory.com.bd United States
25653 FORTRESSITXUS false

Contacted Domains

Name IP Active
savory.com.bd 65.181.111.142 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://savory.com.bd/sav/Ztvfo.png false
    		unknown
    https://savory.com.bd/sav/Ztvfo.png false
      		unknown