Windows Analysis Report
PO-1BdyzarvrjUANe0.exe

Overview

General Information

Sample name: PO-1BdyzarvrjUANe0.exe
Analysis ID: 1539389
MD5: fac116ca092033649c6a8ae32e000508
SHA1: 5139cdc83309a71256413e6e9948098deeb4f144
SHA256: dd7864aca2acdf7738015e6568b6d6fe2f425137c81dcfb19ba491852678b4a7
Tags: exeredlineRedLineStealeruser-malwarelabnet
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection

barindex
Source: PO-1BdyzarvrjUANe0.exe Avira: detected
Source: 2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["188.190.10.19:1912"], "Bot Id": "FROSHLOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: PO-1BdyzarvrjUANe0.exe ReversingLabs: Detection: 63%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: PO-1BdyzarvrjUANe0.exe Joe Sandbox ML: detected
Source: PO-1BdyzarvrjUANe0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO-1BdyzarvrjUANe0.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 06C459FCh 2_2_06C45738
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 06C49160h 2_2_06C48C68
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 06C461FFh 2_2_06C45AA0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 06C43976h 2_2_06C43955
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 07215BE2h 2_2_072157C0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 07216062h 2_2_072157C0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 4x nop then jmp 07214DB1h 2_2_07214D99

Networking

barindex
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49733 -> 188.190.10.19:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49733 -> 188.190.10.19:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 188.190.10.19:1912 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 188.190.10.19:1912 -> 192.168.2.4:49733
Source: Malware configuration extractor URLs: 188.190.10.19:1912
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 188.190.10.19:1912
Source: Joe Sandbox View ASN Name: ASINTTELUA ASINTTELUA
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003223000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003227000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003223000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002E31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765357290.0000000005A29000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765499513.0000000005A64000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1765760032.00000000072C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003EF6000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.00000000042B7000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1993772018.0000000003E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_078611E0 0_2_078611E0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_07854D3B 0_2_07854D3B
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_02EB3E6C 0_2_02EB3E6C
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_02EBE06C 0_2_02EBE06C
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_02EBCA70 0_2_02EBCA70
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_02EB70E8 0_2_02EB70E8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_0563A8E8 0_2_0563A8E8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_0563A8D8 0_2_0563A8D8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09038D98 0_2_09038D98
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_0903B148 0_2_0903B148
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09034A88 0_2_09034A88
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09034AB0 0_2_09034AB0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09038D89 0_2_09038D89
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09034ED9 0_2_09034ED9
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09034EE8 0_2_09034EE8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09037000 0_2_09037000
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09035311 0_2_09035311
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09035320 0_2_09035320
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09036718 0_2_09036718
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09036728 0_2_09036728
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_014BDC74 2_2_014BDC74
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C423A0 2_2_06C423A0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C41E30 2_2_06C41E30
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C47FB8 2_2_06C47FB8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C42C9A 2_2_06C42C9A
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C48C68 2_2_06C48C68
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C45AA0 2_2_06C45AA0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C4BA48 2_2_06C4BA48
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C46A00 2_2_06C46A00
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C43A08 2_2_06C43A08
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C4A8F0 2_2_06C4A8F0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C44928 2_2_06C44928
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C4020F 2_2_06C4020F
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C40220 2_2_06C40220
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C42393 2_2_06C42393
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C47FA8 2_2_06C47FA8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C439F8 2_2_06C439F8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_072157C0 2_2_072157C0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07213E70 2_2_07213E70
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07212598 2_2_07212598
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_072144B0 2_2_072144B0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07217C88 2_2_07217C88
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07212CE2 2_2_07212CE2
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07215120 2_2_07215120
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_072157AF 2_2_072157AF
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07213E60 2_2_07213E60
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_0721143F 2_2_0721143F
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07211488 2_2_07211488
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07211B80 2_2_07211B80
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07211B90 2_2_07211B90
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_0721510F 2_2_0721510F
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_072109B0 2_2_072109B0
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_072101D8 2_2_072101D8
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_07211008 2_2_07211008
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1767570025.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000000.1731733536.0000000000CB2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameegW.exe6 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.0000000004231000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.0000000004231000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000000.00000002.1761067913.000000000136E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1988809355.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe Binary or memory string: OriginalFilenameegW.exe6 vs PO-1BdyzarvrjUANe0.exe
Source: PO-1BdyzarvrjUANe0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO-1BdyzarvrjUANe0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, GmKRKQHfmJtcXPTxir.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, GmKRKQHfmJtcXPTxir.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, GmKRKQHfmJtcXPTxir.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-1BdyzarvrjUANe0.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Mutant created: NULL
Source: PO-1BdyzarvrjUANe0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO-1BdyzarvrjUANe0.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000335A000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003371000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.0000000003402000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000337F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PO-1BdyzarvrjUANe0.exe ReversingLabs: Detection: 63%
Source: unknown Process created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe"
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO-1BdyzarvrjUANe0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO-1BdyzarvrjUANe0.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.cs .Net Code: cO9dfS0OgE System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.cs .Net Code: cO9dfS0OgE System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.cs .Net Code: cO9dfS0OgE System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_0563C45F push cs; iretd 0_2_0563C463
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_0563264A push esp; retf 0_2_05632651
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_05632648 pushad ; retf 0_2_05632649
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_05632A5D push eax; iretd 0_2_05632A5E
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_09030526 push ss; ret 0_2_09030527
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 0_2_090304E7 push ebp; ret 0_2_090304E8
Source: PO-1BdyzarvrjUANe0.exe Static PE information: section name: .text entropy: 7.838098776126378
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, rZkRXysfeXVYoA0RyF.cs High entropy of concatenated method names: 'OdAya5Xty1', 'hTdyLF1FPF', 'jbGyPKBMOM', 'hACyCIKyPw', 'AIHyrmRrFN', 'EmhyQQvrg9', 'A4DylgevBB', 'JIUyJK2FUg', 'F5TyMe6Tho', 'CsAy4dCL9r'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, seuy09AN5b7faHphXp.cs High entropy of concatenated method names: 'fbpf9MBjV', 'l1qhVBe8K', 'uE5FIErJw', 'zpiNwPTkN', 'xvX9QPP1X', 'BDyGGYYrR', 'k2w7ALSAgd8Mmaqpss', 'nn9HuA3TE0U4RLyxqp', 'LreHt2RXC', 'aATWvc8lm'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, GjQ6XwkJjat9GxPDcu.cs High entropy of concatenated method names: 'RB4es3gYYM', 'NwtetTOFgU', 'AyRHOM8gQg', 'mWeHIf1OUn', 'IpbeB1mis4', 'y19e7r8JMl', 'kn3ejKDaeQ', 'X0qegRsuK9', 'e0KeEEh1W5', 'oIGeY0Rsh2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, JJKg8ebTUChCQXE5oX.cs High entropy of concatenated method names: 'vhnr06OJvK', 'j6yrNHEyb3', 'UEMCiTeVTL', 'TclCk6H9SX', 'nQACRl7dKg', 'FcVCKTScn1', 'DHoC3SBukB', 'othC1G59ik', 'PPyCU1qTQi', 'xB7CSbhWw2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, GmKRKQHfmJtcXPTxir.cs High entropy of concatenated method names: 'qcMPgxnB26', 'aBXPETBsgh', 'XByPYmKH74', 'OpNP8Nq3RN', 'Y0IPVQKHdM', 'l4gPwgOfpG', 'bNbPpWkktb', 'tP8PskdE3q', 'drkPAuKSmE', 'UvuPt11LC1'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, OcxLs3zlQmvuaKcpmq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hM9Z6bCfqD', 'W7PZv2yJYU', 'GXSZo8WPe4', 'LMZZeILXc9', 'md1ZHAnS8i', 'H5QZZ8VGfF', 'PdiZWl2jDU'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, p6xnyVPjFleaBgG9Ju.cs High entropy of concatenated method names: 'euVHLXVKR1', 'lXrHPKpjLa', 'swkHC1Klyx', 'QTqHrVuW7Z', 'ykeHQCFxwM', 'BkcHlPbPJq', 'u6hHJD7nhE', 'pZOHMZPond', 'FWeH4HJJq4', 'yYKHc8HPFH'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, MWgFDSRB8wfb0WKC1k.cs High entropy of concatenated method names: 'Dispose', 'O5PIAyxZjx', 'V5x2uunWEL', 'sTpxxZ2YCy', 'bXeItT9vij', 'IuVIzPG4Ft', 'ProcessDialogKey', 'tdA2OU7vtE', 'jnu2IsODYL', 'Rta227t265'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, amgQhAT7fPN3ud71RvY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JlUWgHAAtT', 'Mj7WErHjuB', 'mFbWYoWvQm', 'jXJW8prIes', 'TtHWVtSQZv', 't2KWw4TQH2', 'j1dWp5QyTn'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, bw2npPvQrAROUjGtgC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AKN2AJqwlw', 'Yx82tfvSsf', 'JlX2zB1C9O', 'Bf4yOFTVVZ', 'WvByIgF7FP', 'sNTy2GpvRW', 'n5byyhddYF', 'qRgJOhjVJOFCbRmU8pb'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, FQ4Pw8O5w1fgK4LJ1T.cs High entropy of concatenated method names: 'N1sChtn6Gp', 'jgyCFqQgTa', 'HicC59yIkc', 'ufKC9RKXAd', 'BYuCvbm0rx', 'L1NCoolabg', 'wJyCe9n3vJ', 'ySrCHfltSj', 'h6PCZPuFAB', 'PHOCWVjgJ7'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, x8EQAbobrC1c1P7M6y.cs High entropy of concatenated method names: 'IHYHDIsMHw', 'FUtHu1cI4M', 'VQvHi9SKh1', 'xAdHk1eZQp', 'S6aHglQNl6', 'L5ZHRw6SE6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, t7UJ2KQ1IBo4N52oUu.cs High entropy of concatenated method names: 'nojIldKFaK', 'QsqIJhJQOn', 'JtVI4sE4Xw', 'JaMIcCOVY7', 'ihOIvJxkBO', 'nF6IoiecPS', 'OhkBVqx6qR4Lkfjvoo', 'Ex8QZkDIV3MfpbJh2X', 'qh0IINUTRW', 'iAgIyTbiIx'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, d4egtNJefeVgDQmw9Y.cs High entropy of concatenated method names: 'vInQaGxjvb', 'y4dQPLQjyb', 'sIUQrV5pIT', 'BHyQlV3oMb', 'gt2QJKrNYX', 'W98rVKYyPf', 'I4JrwI967W', 'KUErpeqcnn', 'uaPrsrvhPI', 'XH3rAxeUc2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, j9HJJUeI9tO23YHRcJ.cs High entropy of concatenated method names: 'ToString', 'rWYoBQc5sV', 'S07ouIgNoW', 'BehoiH2cMg', 'VjrokF7dUT', 'r30oRUpFG3', 'LnMoKijCeF', 'OHKo3iNYfq', 'Fxmo10x1QA', 'm5xoUDWdrp'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, YPFVHDdxNPJPKBZRSO.cs High entropy of concatenated method names: 'afRlqtAohS', 'eaWlXUjKvC', 'oKulfv9svr', 'psLlhBfMCQ', 'auSl0CeH0F', 'qAslFxY1wk', 'RwhlN8J9ch', 'wgCl5Dutwl', 'HKOl9VDWLs', 'DjqlGDmhVs'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, woU1cATS60TfWJL5KwE.cs High entropy of concatenated method names: 'LPMZqlVoYe', 'mVgZXi6XHl', 'PYvZfC4r2a', 'E97Zh4gQaV', 'PXeZ0Fsy6L', 'rFjZFXRYWi', 'GGOZNR0Ofw', 'p6RZ5xtAPr', 'i8KZ9icNep', 'WieZGM5NSb'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, hBgXbn67oTOR8K1VGC.cs High entropy of concatenated method names: 'y83652ApkE', 'VZx69rpyuc', 'GDt6D5apva', 'AUw6u3D5wD', 'fb66klOAtO', 'xcX6RdJkw0', 'IcY63eou9R', 'PNo61jX9uM', 'iYS6SEOROs', 'q7D6Bha5rM'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, lwSFEgGO8fQVunmcX5.cs High entropy of concatenated method names: 'RE7ZI39oy3', 'iVDZymCg1J', 'aWKZdNNhP7', 'ndVZLnZnrN', 'c43ZPcrvx9', 'WZpZrSvqnp', 'uYFZQI7jMC', 'TmkHpSeHna', 'AYSHs8YAPu', 'fOWHA5A4RP'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.7af0000.7.raw.unpack, aQsUnflvEEP8Xc3DWo.cs High entropy of concatenated method names: 'UY8vSFCh0x', 'VpZv762IZK', 'TBSvgxtxtI', 'dNEvE4njyP', 'tsovuig9qS', 'TrZviFtcak', 't7hvk70fRC', 'ljTvR4JK69', 'G3tvKGaOIg', 'x8Bv3A0jml'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, rZkRXysfeXVYoA0RyF.cs High entropy of concatenated method names: 'OdAya5Xty1', 'hTdyLF1FPF', 'jbGyPKBMOM', 'hACyCIKyPw', 'AIHyrmRrFN', 'EmhyQQvrg9', 'A4DylgevBB', 'JIUyJK2FUg', 'F5TyMe6Tho', 'CsAy4dCL9r'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, seuy09AN5b7faHphXp.cs High entropy of concatenated method names: 'fbpf9MBjV', 'l1qhVBe8K', 'uE5FIErJw', 'zpiNwPTkN', 'xvX9QPP1X', 'BDyGGYYrR', 'k2w7ALSAgd8Mmaqpss', 'nn9HuA3TE0U4RLyxqp', 'LreHt2RXC', 'aATWvc8lm'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, GjQ6XwkJjat9GxPDcu.cs High entropy of concatenated method names: 'RB4es3gYYM', 'NwtetTOFgU', 'AyRHOM8gQg', 'mWeHIf1OUn', 'IpbeB1mis4', 'y19e7r8JMl', 'kn3ejKDaeQ', 'X0qegRsuK9', 'e0KeEEh1W5', 'oIGeY0Rsh2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, JJKg8ebTUChCQXE5oX.cs High entropy of concatenated method names: 'vhnr06OJvK', 'j6yrNHEyb3', 'UEMCiTeVTL', 'TclCk6H9SX', 'nQACRl7dKg', 'FcVCKTScn1', 'DHoC3SBukB', 'othC1G59ik', 'PPyCU1qTQi', 'xB7CSbhWw2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, GmKRKQHfmJtcXPTxir.cs High entropy of concatenated method names: 'qcMPgxnB26', 'aBXPETBsgh', 'XByPYmKH74', 'OpNP8Nq3RN', 'Y0IPVQKHdM', 'l4gPwgOfpG', 'bNbPpWkktb', 'tP8PskdE3q', 'drkPAuKSmE', 'UvuPt11LC1'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, OcxLs3zlQmvuaKcpmq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hM9Z6bCfqD', 'W7PZv2yJYU', 'GXSZo8WPe4', 'LMZZeILXc9', 'md1ZHAnS8i', 'H5QZZ8VGfF', 'PdiZWl2jDU'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, p6xnyVPjFleaBgG9Ju.cs High entropy of concatenated method names: 'euVHLXVKR1', 'lXrHPKpjLa', 'swkHC1Klyx', 'QTqHrVuW7Z', 'ykeHQCFxwM', 'BkcHlPbPJq', 'u6hHJD7nhE', 'pZOHMZPond', 'FWeH4HJJq4', 'yYKHc8HPFH'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, MWgFDSRB8wfb0WKC1k.cs High entropy of concatenated method names: 'Dispose', 'O5PIAyxZjx', 'V5x2uunWEL', 'sTpxxZ2YCy', 'bXeItT9vij', 'IuVIzPG4Ft', 'ProcessDialogKey', 'tdA2OU7vtE', 'jnu2IsODYL', 'Rta227t265'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, amgQhAT7fPN3ud71RvY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JlUWgHAAtT', 'Mj7WErHjuB', 'mFbWYoWvQm', 'jXJW8prIes', 'TtHWVtSQZv', 't2KWw4TQH2', 'j1dWp5QyTn'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, bw2npPvQrAROUjGtgC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AKN2AJqwlw', 'Yx82tfvSsf', 'JlX2zB1C9O', 'Bf4yOFTVVZ', 'WvByIgF7FP', 'sNTy2GpvRW', 'n5byyhddYF', 'qRgJOhjVJOFCbRmU8pb'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, FQ4Pw8O5w1fgK4LJ1T.cs High entropy of concatenated method names: 'N1sChtn6Gp', 'jgyCFqQgTa', 'HicC59yIkc', 'ufKC9RKXAd', 'BYuCvbm0rx', 'L1NCoolabg', 'wJyCe9n3vJ', 'ySrCHfltSj', 'h6PCZPuFAB', 'PHOCWVjgJ7'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, x8EQAbobrC1c1P7M6y.cs High entropy of concatenated method names: 'IHYHDIsMHw', 'FUtHu1cI4M', 'VQvHi9SKh1', 'xAdHk1eZQp', 'S6aHglQNl6', 'L5ZHRw6SE6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, t7UJ2KQ1IBo4N52oUu.cs High entropy of concatenated method names: 'nojIldKFaK', 'QsqIJhJQOn', 'JtVI4sE4Xw', 'JaMIcCOVY7', 'ihOIvJxkBO', 'nF6IoiecPS', 'OhkBVqx6qR4Lkfjvoo', 'Ex8QZkDIV3MfpbJh2X', 'qh0IINUTRW', 'iAgIyTbiIx'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, d4egtNJefeVgDQmw9Y.cs High entropy of concatenated method names: 'vInQaGxjvb', 'y4dQPLQjyb', 'sIUQrV5pIT', 'BHyQlV3oMb', 'gt2QJKrNYX', 'W98rVKYyPf', 'I4JrwI967W', 'KUErpeqcnn', 'uaPrsrvhPI', 'XH3rAxeUc2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, j9HJJUeI9tO23YHRcJ.cs High entropy of concatenated method names: 'ToString', 'rWYoBQc5sV', 'S07ouIgNoW', 'BehoiH2cMg', 'VjrokF7dUT', 'r30oRUpFG3', 'LnMoKijCeF', 'OHKo3iNYfq', 'Fxmo10x1QA', 'm5xoUDWdrp'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, YPFVHDdxNPJPKBZRSO.cs High entropy of concatenated method names: 'afRlqtAohS', 'eaWlXUjKvC', 'oKulfv9svr', 'psLlhBfMCQ', 'auSl0CeH0F', 'qAslFxY1wk', 'RwhlN8J9ch', 'wgCl5Dutwl', 'HKOl9VDWLs', 'DjqlGDmhVs'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, woU1cATS60TfWJL5KwE.cs High entropy of concatenated method names: 'LPMZqlVoYe', 'mVgZXi6XHl', 'PYvZfC4r2a', 'E97Zh4gQaV', 'PXeZ0Fsy6L', 'rFjZFXRYWi', 'GGOZNR0Ofw', 'p6RZ5xtAPr', 'i8KZ9icNep', 'WieZGM5NSb'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, hBgXbn67oTOR8K1VGC.cs High entropy of concatenated method names: 'y83652ApkE', 'VZx69rpyuc', 'GDt6D5apva', 'AUw6u3D5wD', 'fb66klOAtO', 'xcX6RdJkw0', 'IcY63eou9R', 'PNo61jX9uM', 'iYS6SEOROs', 'q7D6Bha5rM'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, lwSFEgGO8fQVunmcX5.cs High entropy of concatenated method names: 'RE7ZI39oy3', 'iVDZymCg1J', 'aWKZdNNhP7', 'ndVZLnZnrN', 'c43ZPcrvx9', 'WZpZrSvqnp', 'uYFZQI7jMC', 'TmkHpSeHna', 'AYSHs8YAPu', 'fOWHA5A4RP'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.438f9c0.2.raw.unpack, aQsUnflvEEP8Xc3DWo.cs High entropy of concatenated method names: 'UY8vSFCh0x', 'VpZv762IZK', 'TBSvgxtxtI', 'dNEvE4njyP', 'tsovuig9qS', 'TrZviFtcak', 't7hvk70fRC', 'ljTvR4JK69', 'G3tvKGaOIg', 'x8Bv3A0jml'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, rZkRXysfeXVYoA0RyF.cs High entropy of concatenated method names: 'OdAya5Xty1', 'hTdyLF1FPF', 'jbGyPKBMOM', 'hACyCIKyPw', 'AIHyrmRrFN', 'EmhyQQvrg9', 'A4DylgevBB', 'JIUyJK2FUg', 'F5TyMe6Tho', 'CsAy4dCL9r'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, seuy09AN5b7faHphXp.cs High entropy of concatenated method names: 'fbpf9MBjV', 'l1qhVBe8K', 'uE5FIErJw', 'zpiNwPTkN', 'xvX9QPP1X', 'BDyGGYYrR', 'k2w7ALSAgd8Mmaqpss', 'nn9HuA3TE0U4RLyxqp', 'LreHt2RXC', 'aATWvc8lm'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, GjQ6XwkJjat9GxPDcu.cs High entropy of concatenated method names: 'RB4es3gYYM', 'NwtetTOFgU', 'AyRHOM8gQg', 'mWeHIf1OUn', 'IpbeB1mis4', 'y19e7r8JMl', 'kn3ejKDaeQ', 'X0qegRsuK9', 'e0KeEEh1W5', 'oIGeY0Rsh2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, JJKg8ebTUChCQXE5oX.cs High entropy of concatenated method names: 'vhnr06OJvK', 'j6yrNHEyb3', 'UEMCiTeVTL', 'TclCk6H9SX', 'nQACRl7dKg', 'FcVCKTScn1', 'DHoC3SBukB', 'othC1G59ik', 'PPyCU1qTQi', 'xB7CSbhWw2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, GmKRKQHfmJtcXPTxir.cs High entropy of concatenated method names: 'qcMPgxnB26', 'aBXPETBsgh', 'XByPYmKH74', 'OpNP8Nq3RN', 'Y0IPVQKHdM', 'l4gPwgOfpG', 'bNbPpWkktb', 'tP8PskdE3q', 'drkPAuKSmE', 'UvuPt11LC1'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, OcxLs3zlQmvuaKcpmq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hM9Z6bCfqD', 'W7PZv2yJYU', 'GXSZo8WPe4', 'LMZZeILXc9', 'md1ZHAnS8i', 'H5QZZ8VGfF', 'PdiZWl2jDU'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, p6xnyVPjFleaBgG9Ju.cs High entropy of concatenated method names: 'euVHLXVKR1', 'lXrHPKpjLa', 'swkHC1Klyx', 'QTqHrVuW7Z', 'ykeHQCFxwM', 'BkcHlPbPJq', 'u6hHJD7nhE', 'pZOHMZPond', 'FWeH4HJJq4', 'yYKHc8HPFH'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, MWgFDSRB8wfb0WKC1k.cs High entropy of concatenated method names: 'Dispose', 'O5PIAyxZjx', 'V5x2uunWEL', 'sTpxxZ2YCy', 'bXeItT9vij', 'IuVIzPG4Ft', 'ProcessDialogKey', 'tdA2OU7vtE', 'jnu2IsODYL', 'Rta227t265'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, amgQhAT7fPN3ud71RvY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JlUWgHAAtT', 'Mj7WErHjuB', 'mFbWYoWvQm', 'jXJW8prIes', 'TtHWVtSQZv', 't2KWw4TQH2', 'j1dWp5QyTn'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, bw2npPvQrAROUjGtgC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AKN2AJqwlw', 'Yx82tfvSsf', 'JlX2zB1C9O', 'Bf4yOFTVVZ', 'WvByIgF7FP', 'sNTy2GpvRW', 'n5byyhddYF', 'qRgJOhjVJOFCbRmU8pb'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, FQ4Pw8O5w1fgK4LJ1T.cs High entropy of concatenated method names: 'N1sChtn6Gp', 'jgyCFqQgTa', 'HicC59yIkc', 'ufKC9RKXAd', 'BYuCvbm0rx', 'L1NCoolabg', 'wJyCe9n3vJ', 'ySrCHfltSj', 'h6PCZPuFAB', 'PHOCWVjgJ7'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, x8EQAbobrC1c1P7M6y.cs High entropy of concatenated method names: 'IHYHDIsMHw', 'FUtHu1cI4M', 'VQvHi9SKh1', 'xAdHk1eZQp', 'S6aHglQNl6', 'L5ZHRw6SE6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, t7UJ2KQ1IBo4N52oUu.cs High entropy of concatenated method names: 'nojIldKFaK', 'QsqIJhJQOn', 'JtVI4sE4Xw', 'JaMIcCOVY7', 'ihOIvJxkBO', 'nF6IoiecPS', 'OhkBVqx6qR4Lkfjvoo', 'Ex8QZkDIV3MfpbJh2X', 'qh0IINUTRW', 'iAgIyTbiIx'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, d4egtNJefeVgDQmw9Y.cs High entropy of concatenated method names: 'vInQaGxjvb', 'y4dQPLQjyb', 'sIUQrV5pIT', 'BHyQlV3oMb', 'gt2QJKrNYX', 'W98rVKYyPf', 'I4JrwI967W', 'KUErpeqcnn', 'uaPrsrvhPI', 'XH3rAxeUc2'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, j9HJJUeI9tO23YHRcJ.cs High entropy of concatenated method names: 'ToString', 'rWYoBQc5sV', 'S07ouIgNoW', 'BehoiH2cMg', 'VjrokF7dUT', 'r30oRUpFG3', 'LnMoKijCeF', 'OHKo3iNYfq', 'Fxmo10x1QA', 'm5xoUDWdrp'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, YPFVHDdxNPJPKBZRSO.cs High entropy of concatenated method names: 'afRlqtAohS', 'eaWlXUjKvC', 'oKulfv9svr', 'psLlhBfMCQ', 'auSl0CeH0F', 'qAslFxY1wk', 'RwhlN8J9ch', 'wgCl5Dutwl', 'HKOl9VDWLs', 'DjqlGDmhVs'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, woU1cATS60TfWJL5KwE.cs High entropy of concatenated method names: 'LPMZqlVoYe', 'mVgZXi6XHl', 'PYvZfC4r2a', 'E97Zh4gQaV', 'PXeZ0Fsy6L', 'rFjZFXRYWi', 'GGOZNR0Ofw', 'p6RZ5xtAPr', 'i8KZ9icNep', 'WieZGM5NSb'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, hBgXbn67oTOR8K1VGC.cs High entropy of concatenated method names: 'y83652ApkE', 'VZx69rpyuc', 'GDt6D5apva', 'AUw6u3D5wD', 'fb66klOAtO', 'xcX6RdJkw0', 'IcY63eou9R', 'PNo61jX9uM', 'iYS6SEOROs', 'q7D6Bha5rM'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, lwSFEgGO8fQVunmcX5.cs High entropy of concatenated method names: 'RE7ZI39oy3', 'iVDZymCg1J', 'aWKZdNNhP7', 'ndVZLnZnrN', 'c43ZPcrvx9', 'WZpZrSvqnp', 'uYFZQI7jMC', 'TmkHpSeHna', 'AYSHs8YAPu', 'fOWHA5A4RP'
Source: 0.2.PO-1BdyzarvrjUANe0.exe.4302ba0.4.raw.unpack, aQsUnflvEEP8Xc3DWo.cs High entropy of concatenated method names: 'UY8vSFCh0x', 'VpZv762IZK', 'TBSvgxtxtI', 'dNEvE4njyP', 'tsovuig9qS', 'TrZviFtcak', 't7hvk70fRC', 'ljTvR4JK69', 'G3tvKGaOIg', 'x8Bv3A0jml'

Hooking and other Techniques for Hiding and Protection

barindex
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon3162.png
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 4364, type: MEMORYSTR
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 14C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 50C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 9140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: A140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: A340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: B340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 1470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: 14E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Window / User API: threadDelayed 8590 Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Window / User API: threadDelayed 1259 Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe TID: 6208 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe TID: 4364 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1989254791.00000000011C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Code function: 2_2_06C46A00 LdrInitializeThunk, 2_2_06C46A00
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Memory written: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Process created: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe "C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.2011875810.0000000006EF6000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.2009786488.00000000062A1000.00000004.00000020.00020000.00000000.sdmp, PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1989254791.00000000011C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 4364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 1732, type: MEMORYSTR
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\walletsLRdq
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $dq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.000000000304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLRdq
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLRdq
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLRdq
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $dq%appdata%`,dqdC:\Users\user\AppData\Roaming`,dqdC:\Users\user\AppData\Roaming\Binance
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLRdq
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $dq&%localappdata%\Coinomi\Coinomi\walletsLRdqD
Source: PO-1BdyzarvrjUANe0.exe, 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $dq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\PO-1BdyzarvrjUANe0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: Yara match File source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1990328338.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 1732, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.41a3f78.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PO-1BdyzarvrjUANe0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO-1BdyzarvrjUANe0.exe.4158d58.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1988809355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762571849.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762571849.00000000041E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762571849.000000000419B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1990328338.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 4364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO-1BdyzarvrjUANe0.exe PID: 1732, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs