Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1562677
MD5: 96a7b754ca8e8f35ae9e2b88b9f25658
SHA1: ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA256: 21d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
Tags: exeuser-Bitsight
Infos:

Detection

DarkTortilla, RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected RHADAMANTHYS Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection

barindex
Source: file.exe Avira: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Avira: detection malicious, Label: HEUR/AGEN.1358047
Source: 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox"}
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe ReversingLabs: Detection: 34%
Source: file.exe ReversingLabs: Detection: 31%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Joe Sandbox ML: detected
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E046E8 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA, 0_2_00007FF7E5E046E8
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: file.exe
Source: Binary string: wextract.pdbGCTL source: file.exe
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E026B8 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00007FF7E5E026B8
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4x nop then dec esp 22_2_000001BE066E0511

Networking

barindex
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 104.37.175.218:7982 -> 192.168.2.6:49910
Source: Malware configuration extractor URLs: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox
Source: global traffic TCP traffic: 192.168.2.6:49910 -> 104.37.175.218:7982
Source: Joe Sandbox View ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: Amcache.hve.24.dr String found in binary or memory: http://upx.sf.net
Source: fontdrvhost.exe, fontdrvhost.exe, 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox
Source: fontdrvhost.exe, 00000012.00000003.3045309813.0000000004DBB000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxkernelbasentdllkernel32GetProcessMitigat
Source: fontdrvhost.exe, 00000012.00000002.3045753092.000000000038C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxx
Source: fontdrvhost.exe, 00000012.00000003.2975846507.0000000004A4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: fontdrvhost.exe, 00000012.00000003.2975846507.0000000004A4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_5d029216-b
Source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_817dd6f5-0
Source: Yara match File source: 18.3.fontdrvhost.exe.4ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.fontdrvhost.exe.4ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.fontdrvhost.exe.4d00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.fontdrvhost.exe.4ae0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.3.fontdrvhost.exe.4ae0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fontdrvhost.exe PID: 7916, type: MEMORYSTR
Source: C:\Windows\System32\fontdrvhost.exe Code function: 22_2_000001BE066E1AA4 NtAcceptConnectPort,NtAcceptConnectPort, 22_2_000001BE066E1AA4
Source: C:\Windows\System32\fontdrvhost.exe Code function: 22_2_000001BE066E1CF4 NtAcceptConnectPort,CloseHandle, 22_2_000001BE066E1CF4
Source: C:\Windows\System32\fontdrvhost.exe Code function: 22_2_000001BE066E0AC8 NtAcceptConnectPort,NtAcceptConnectPort, 22_2_000001BE066E0AC8
Source: C:\Windows\System32\fontdrvhost.exe Code function: 22_2_000001BE066E15C0 NtAcceptConnectPort, 22_2_000001BE066E15C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7DDE8 CreateProcessAsUserW, 1_2_08B7DDE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E07FE4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, 0_2_00007FF7E5E07FE4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E033BC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 0_2_00007FF7E5E033BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E05810 0_2_00007FF7E5E05810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E01A08 0_2_00007FF7E5E01A08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E04BE0 0_2_00007FF7E5E04BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E05B50 0_2_00007FF7E5E05B50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E0521C 0_2_00007FF7E5E0521C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E0721C 0_2_00007FF7E5E0721C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E04BDE 0_2_00007FF7E5E04BDE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E033BC 0_2_00007FF7E5E033BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E078AE 0_2_00007FF7E5E078AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_018046A0 1_2_018046A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_031B0DB0 1_2_031B0DB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_031B2F40 1_2_031B2F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799D798 1_2_0799D798
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799C700 1_2_0799C700
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799EC30 1_2_0799EC30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_07990460 1_2_07990460
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799E3A8 1_2_0799E3A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_07990929 1_2_07990929
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799D787 1_2_0799D787
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799EF70 1_2_0799EF70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_07993690 1_2_07993690
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799C6F9 1_2_0799C6F9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_07993679 1_2_07993679
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799EC20 1_2_0799EC20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_07998448 1_2_07998448
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799E366 1_2_0799E366
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B76CE0 1_2_08B76CE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7CCE8 1_2_08B7CCE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B79058 1_2_08B79058
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B70040 1_2_08B70040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B735A8 1_2_08B735A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B78518 1_2_08B78518
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B70EE0 1_2_08B70EE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7E670 1_2_08B7E670
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7E368 1_2_08B7E368
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B728A8 1_2_08B728A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B72899 1_2_08B72899
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B77CF8 1_2_08B77CF8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B77CE8 1_2_08B77CE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B76CD2 1_2_08B76CD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B740DD 1_2_08B740DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B70006 1_2_08B70006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B73400 1_2_08B73400
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B71460 1_2_08B71460
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B79048 1_2_08B79048
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B71DB9 1_2_08B71DB9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B735A2 1_2_08B735A2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B73188 1_2_08B73188
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B71DC8 1_2_08B71DC8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7ED08 1_2_08B7ED08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B78508 1_2_08B78508
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B73178 1_2_08B73178
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B74158 1_2_08B74158
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7AD48 1_2_08B7AD48
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7C6A8 1_2_08B7C6A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B70E01 1_2_08B70E01
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B72BA8 1_2_08B72BA8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B72B98 1_2_08B72B98
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B733F2 1_2_08B733F2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B72F50 1_2_08B72F50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B72F41 1_2_08B72F41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_08B7BF40 1_2_08B7BF40
Source: C:\Windows\System32\fontdrvhost.exe Code function: 22_2_000001BE066E0C70 22_2_000001BE066E0C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420
Source: file.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 821649 bytes, 1 file, at 0x2c +A "computerlead.exe", ID 1653, number 1, 36 datablocks, 0x1503 compression
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs file.exe
Source: computerlead.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: computerlead.exe.0.dr, La53Z.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_
Source: classification engine Classification label: mal100.troj.evad.winEXE@18/7@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E07010 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA, 0_2_00007FF7E5E07010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E033BC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 0_2_00007FF7E5E033BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E05B50 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00007FF7E5E05B50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E05810 memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17, 0_2_00007FF7E5E05810
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\computerlead.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8124
Source: C:\Windows\SysWOW64\fontdrvhost.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-b94d4e13-ee73-4f205d-6f5803211868}
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\fontdrvhost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: file.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8124 -s 136
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: file.exe
Source: Binary string: wextract.pdbGCTL source: file.exe
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: Yara match File source: 1.2.computerlead.exe.56b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.computerlead.exe.56b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2931668884.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: computerlead.exe PID: 7492, type: MEMORYSTR
Source: computerlead.exe.0.dr, Qw4x7F.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Source: computerlead.exe.0.dr, Qw4x7F.cs .Net Code: f1G System.Reflection.Assembly.Load(byte[])
Source: computerlead.exe.0.dr, Qw4x7F.cs .Net Code: f8ZQy5 System.Reflection.Assembly.Load(byte[])
Source: file.exe Static PE information: 0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E01A08 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00007FF7E5E01A08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_018071F8 pushfd ; retf 1_2_01807315
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_0799D682 push 9B0799D0h; iretd 1_2_0799D695
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_07998448 push FFFFFFC3h; ret 1_2_079986B5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_079972AD pushad ; ret 1_2_079972B3
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B6012 push 00000038h; iretd 18_3_003B601D
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B5606 pushad ; retf 18_3_003B5619
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B225D push eax; ret 18_3_003B225F
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B58BC pushad ; ret 18_3_003B58C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B588E push eax; iretd 18_3_003B589D
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B28ED push ebx; ret 18_3_003B28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B18C0 push ebp; retf 18_3_003B18C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B4920 push 0000002Eh; iretd 18_3_003B4922
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B5F0C push es; iretd 18_3_003B5F0D
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B1179 push FFFFFF82h; iretd 18_3_003B117B
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B278B push ebx; ret 18_3_003B28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B0FEA push eax; ret 18_3_003B0FF5
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B5FEE push FFFFFFD2h; retf 18_3_003B6011
Source: computerlead.exe.0.dr, s3JF.cs High entropy of concatenated method names: 'Rn7s8N', 'MoveNext', 'f8MTe1', 'SetStateMachine', 'r0C2Qj', 'MoveNext', 'e2P9Lf', 'SetStateMachine', 'x8NHg2', 'i9G8'
Source: computerlead.exe.0.dr, r8C.cs High entropy of concatenated method names: 'Nd', 'MoveNext', 'g1', 'SetStateMachine', 'Gi', 'Fy', 'm8', 'Ho', 'Fj', 'o0'
Source: computerlead.exe.0.dr, Qw4x7F.cs High entropy of concatenated method names: 'r8T', 'Nt8', 'Pk0', 'p6C', 'f1G', 'x3Z', 'Cp7', 'a8D', 'y1B', 'Gj6'
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E01D28 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00007FF7E5E01D28
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: computerlead.exe PID: 7492, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API/Special instruction interceptor: Address: 7FFDB442D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe API/Special instruction interceptor: Address: 7FFDB442D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe API/Special instruction interceptor: Address: 4CDB83A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Section loaded: OutputDebugStringW count: 1939
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MP.EXEX64DBG.EXEX32DBG.E
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""<
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: 17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: 32E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: 3120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: 8CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: 9CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: 9EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: AEA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: B260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: C260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Window / User API: threadDelayed 2802 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Window / User API: threadDelayed 7020 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -38000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -37094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -36110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35181s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -35016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34553s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34322s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34216s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -33078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32745s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664 Thread sleep time: -32188s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E026B8 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00007FF7E5E026B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E041EC GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00007FF7E5E041EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 38000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37438 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 37094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36969 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36485 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 36110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35485 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35181 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 35016 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34553 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34438 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34322 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34216 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34109 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 34000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33438 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33188 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 33078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32745 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32641 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32516 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32297 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Thread delayed: delay time: 32188 Jump to behavior
Source: Amcache.hve.24.dr Binary or memory string: VMware
Source: Amcache.hve.24.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.24.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.24.dr Binary or memory string: VMware, Inc.
Source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: Amcache.hve.24.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.24.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.24.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: fontdrvhost.exe, 00000012.00000002.3046069328.000000000093A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWi.csvl
Source: Amcache.hve.24.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: fontdrvhost.exe, 00000012.00000002.3046069328.000000000093A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.24.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr Binary or memory string: vmci.sys
Source: Amcache.hve.24.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.24.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.24.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.24.dr Binary or memory string: VMware20,1
Source: Amcache.hve.24.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxTrayS
Source: Amcache.hve.24.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.24.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.24.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.24.dr Binary or memory string: VMware Virtual RAM
Source: fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.24.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.24.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Code function: 1_2_01807FA0 CheckRemoteDebuggerPresent, 1_2_01807FA0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E01A08 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00007FF7E5E01A08
Source: C:\Windows\SysWOW64\fontdrvhost.exe Code function: 18_3_003B0283 mov eax, dword ptr fs:[00000030h] 18_3_003B0283
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E01404 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7E5E01404
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E0170E SetUnhandledExceptionFilter, 0_2_00007FF7E5E0170E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 350000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 530000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 500000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 350000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 530000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 500000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 350000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 351000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 399000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3C8000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3CC000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3CE000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4DF008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 530000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 531000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 579000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5A8000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5AC000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5AE000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3B1008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 500000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 501000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 549000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 578000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 57C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 57E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3E2008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 449000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 10A6008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E02590 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, 0_2_00007FF7E5E02590
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E018E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 0_2_00007FF7E5E018E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7E5E07FE4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, 0_2_00007FF7E5E07FE4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: Amcache.hve.24.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.24.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.24.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.24.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.24.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000012.00000003.2941844125.0000000000760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3046180127.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2946578088.0000000001610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 00000012.00000003.2941844125.0000000000760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3046180127.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2946578088.0000000001610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs